| 28 Jul 2025 |
 raitobezarius | are right | 01:59:51 |
 EsperLily [she/her] | my question there was just if we don't have chroot then the build should be able to read everything we can read, and so if we can read the caFile, then we should be able to just give that path to the build without copying the file | 01:59:57 |
| raitobezarius | In reply to @esperlily:matrix.org
my question there was just if we don't have chroot then the build should be able to read everything we can read, and so if we can read the caFile, then we should be able to just give that path to the build without copying the file ok, but why do that optimization at all? | 02:00:24 |
| EsperLily [she/her] | but also, i put a comment on the cl (after merge) because there is a bug where you dropped the second param to pathAccessible(), which makes it check the wrong thing | 02:00:26 |
 emily | the copying was intentional and already present before | 02:00:53 |
| EsperLily [she/her] | why spend time copying the file on every FOD build when we could just not copy it? | 02:00:55 |
| emily | to avoid mutation/weird file types/… | 02:01:00 |
 jade_ | mood lmao | 02:01:21 |
| raitobezarius | In reply to @esperlily:matrix.org
but also, i put a comment on the cl (after merge) because there is a bug where you dropped the second param to pathAccessible(), which makes it check the wrong thing right | 02:01:23 |
| emily | // Copy the actual file, not the symlink, because we don't know where
// the symlink is pointing, and we don't want to chase down the entire
// chain.
//
// This means if your network config changes during a FOD build,
// the DNS in the sandbox will be wrong. However, this is pretty unlikely
// to actually be a problem, because FODs are generally pretty fast,
// and machines with often-changing network configurations probably
// want to run resolved or some other local resolver anyway.
//
// There's also just no simple way to do this correctly, you have to manually
// inotify watch the files for changes on the outside and update the sandbox
// while the build is running (or at least that's what Flatpak does).
//
// I also just generally feel icky about modifying sandbox state under a build,
// even though it really shouldn't be a big deal. -K900
…
// For the same reasons as above, copy the CA certificates file too.
// It should be even less likely to change during the build than
// resolv.conf.
| 02:01:37 |
| raitobezarius | In reply to @esperlily:matrix.org
why spend time copying the file on every FOD build when we could just not copy it? to reduce code complexity imho | 02:01:40 |
| raitobezarius | but also, there's the whole reasoning emily is giving | 02:01:50 |
| raitobezarius | which might be stronger here | 02:01:53 |
| EsperLily [she/her] | the copying was present on Linux, with chroot. it wasn't present outside of the chroot, and it wasn't present on darwin | 02:02:03 |
| raitobezarius | like registerOutputs does a lot of these optimizations | 02:02:04 |
| raitobezarius | and this is a maintenance challenge | 02:02:23 |
| emily | on Darwin the functionality was just broken | 02:02:33 |
| raitobezarius | I feel like we want to move more into the direction of sandboxed builds in Darwin | 02:02:38 |
| jade_ | same, but i am not sure how to do it without even more user facing complexity and weird knobs | 02:02:57 |
| raitobezarius | so I prefer to less invest into optimizations that benefit solely unsandboxed Darwin EXCEPT if this is a performance dealbreaker | 02:03:04 |
| raitobezarius | (s/Darwin// tbh, it's not about Darwin specifically) | 02:03:38 |
| EsperLily [she/her] | i mean what i'm suggesting would be unsandboxed Linux too, though i don't know who actually runs without the sandbox on Linux | 02:03:39 |
| jade_ | i want a better "unsandboxed" darwin sandbox. but that means that the default needs to be sandbox = relaxed, but then derivations have to be able to say "sandbox ok but not a strong one" and aaaaghgg | 02:03:39 |
| jade_ | docker | 02:03:45 |
| raitobezarius | In reply to @esperlily:matrix.org
i mean what i'm suggesting would be unsandboxed Linux too, though i don't know who actually runs without the sandbox on Linux Debian 10 | 02:03:48 |
| jade_ | okay but we don't care about debian making horrible packaging choices :P | 02:04:00 |
| jade_ | that's a them problem | 02:04:04 |
| raitobezarius | yes, but this is a truth | 02:04:04 |
| emily | it's mostly Nixpkgs work that's required to tighten the Darwin sandbox | 02:04:05 |
| raitobezarius | and this has consequences | 02:04:10 |
