| 28 Jul 2025 |
 emily | it's probably like one of twenty things | 01:53:57 |
 raitobezarius | neat | 01:54:22 |
| emily | eventually I will convince someone that Instruments is actually good and snipe them into finding the other 19 :P | 01:54:22 |
| * raitobezarius set someone to emilazy | 01:54:33 |
 EsperLily [she/her] | doesn't it? on darwin, no chroot means the sandbox is ```
(version 1)
(allow default) | 01:56:32 |
| EsperLily [she/her] | oops | 01:56:34 |
| raitobezarius | In reply to @esperlily:matrix.org
doesn't it? on darwin, no chroot means the sandbox is ```
(version 1)
(allow default) yes and allow-setuid no | 01:56:45 |
| raitobezarius | basically | 01:56:46 |
| EsperLily [she/her] | * doesn't it? on darwin, no chroot means the sandbox is ```
(version 1)
(allow default)
(deny file-write-setugid)
| 01:56:53 |
| EsperLily [she/her] | * doesn't it? on darwin, no chroot means the sandbox is (version 1) (allow default) (deny file-write-setugid) | 01:57:02 |
 jade_ | theres so many bugs that are just "lol someone needs to spend 2h finding them" that are massive impact :V | 01:57:11 |
| raitobezarius | In reply to @raitobezarius:matrix.org
basically the problem is that chroot or no chroot doesn't tell me if there's a sandbox policy that prevent me from reading outside of the Nix store | 01:57:33 |
| raitobezarius | or the build directory | 01:57:36 |
| raitobezarius | so to simplify things, i can just assume that i can NEVER read outside of these directories | 01:57:46 |
| raitobezarius | which would be the maximum sandbox policy applied | 01:57:54 |
| raitobezarius | right? | 01:57:55 |
| emily | useChroot means "use sandbox" on macOS | 01:57:59 |
| raitobezarius | (do note that it's 4am and i'm stupid) | 01:58:02 |
| raitobezarius | In reply to @emilazy:matrix.org
useChroot means "use sandbox" on macOS there's only 2 levels of sandbox policy? | 01:58:18 |
| emily | unfortunately I have roughly a year's worth of 2 hour high-impact tasks to get through | 01:58:26 |
| raitobezarius | i hate this boolean so hard | 01:58:28 |
| emily | three | 01:58:32 |
| raitobezarius | so as soon sandbox is used, this is going to be fucked | 01:58:52 |
| EsperLily [she/her] | useChroot is initialized based off of the sandbox setting. it's true if sandbox is enabled, or if sandbox is relaxed and the derivation is input-addressed. it's false if sandbox is disabled | 01:59:05 |
| raitobezarius | ok, I got a gist of the problem | 01:59:17 |
| raitobezarius | I will try to fix this tomorrow | 01:59:20 |
| emily | I'm confused | 01:59:23 |
| emily | I think the current behaviour is fine? | 01:59:34 |
| emily | we copy on Linux and we copy on Darwin | 01:59:37 |
| raitobezarius | let me just verify that the path we pass in the environment | 01:59:50 |
