| 28 Jul 2025 |
 raitobezarius | In reply to @emilazy:matrix.org
useChroot means "use sandbox" on macOS there's only 2 levels of sandbox policy? | 01:58:18 |
 emily | unfortunately I have roughly a year's worth of 2 hour high-impact tasks to get through | 01:58:26 |
| raitobezarius | i hate this boolean so hard | 01:58:28 |
| emily | three | 01:58:32 |
| raitobezarius | so as soon sandbox is used, this is going to be fucked | 01:58:52 |
 EsperLily [she/her] | useChroot is initialized based off of the sandbox setting. it's true if sandbox is enabled, or if sandbox is relaxed and the derivation is input-addressed. it's false if sandbox is disabled | 01:59:05 |
| raitobezarius | ok, I got a gist of the problem | 01:59:17 |
| raitobezarius | I will try to fix this tomorrow | 01:59:20 |
| emily | I'm confused | 01:59:23 |
| emily | I think the current behaviour is fine? | 01:59:34 |
| emily | we copy on Linux and we copy on Darwin | 01:59:37 |
| raitobezarius | let me just verify that the path we pass in the environment | 01:59:50 |
| raitobezarius | are right | 01:59:51 |
| EsperLily [she/her] | my question there was just if we don't have chroot then the build should be able to read everything we can read, and so if we can read the caFile, then we should be able to just give that path to the build without copying the file | 01:59:57 |
| raitobezarius | In reply to @esperlily:matrix.org
my question there was just if we don't have chroot then the build should be able to read everything we can read, and so if we can read the caFile, then we should be able to just give that path to the build without copying the file ok, but why do that optimization at all? | 02:00:24 |
| EsperLily [she/her] | but also, i put a comment on the cl (after merge) because there is a bug where you dropped the second param to pathAccessible(), which makes it check the wrong thing | 02:00:26 |
| emily | the copying was intentional and already present before | 02:00:53 |
| EsperLily [she/her] | why spend time copying the file on every FOD build when we could just not copy it? | 02:00:55 |
| emily | to avoid mutation/weird file types/… | 02:01:00 |
 jade_ | mood lmao | 02:01:21 |
| raitobezarius | In reply to @esperlily:matrix.org
but also, i put a comment on the cl (after merge) because there is a bug where you dropped the second param to pathAccessible(), which makes it check the wrong thing right | 02:01:23 |
| emily | // Copy the actual file, not the symlink, because we don't know where
// the symlink is pointing, and we don't want to chase down the entire
// chain.
//
// This means if your network config changes during a FOD build,
// the DNS in the sandbox will be wrong. However, this is pretty unlikely
// to actually be a problem, because FODs are generally pretty fast,
// and machines with often-changing network configurations probably
// want to run resolved or some other local resolver anyway.
//
// There's also just no simple way to do this correctly, you have to manually
// inotify watch the files for changes on the outside and update the sandbox
// while the build is running (or at least that's what Flatpak does).
//
// I also just generally feel icky about modifying sandbox state under a build,
// even though it really shouldn't be a big deal. -K900
…
// For the same reasons as above, copy the CA certificates file too.
// It should be even less likely to change during the build than
// resolv.conf.
| 02:01:37 |
| raitobezarius | In reply to @esperlily:matrix.org
why spend time copying the file on every FOD build when we could just not copy it? to reduce code complexity imho | 02:01:40 |
| raitobezarius | but also, there's the whole reasoning emily is giving | 02:01:50 |
| raitobezarius | which might be stronger here | 02:01:53 |
| EsperLily [she/her] | the copying was present on Linux, with chroot. it wasn't present outside of the chroot, and it wasn't present on darwin | 02:02:03 |
| raitobezarius | like registerOutputs does a lot of these optimizations | 02:02:04 |
| raitobezarius | and this is a maintenance challenge | 02:02:23 |
| emily | on Darwin the functionality was just broken | 02:02:33 |
| raitobezarius | I feel like we want to move more into the direction of sandboxed builds in Darwin | 02:02:38 |
