| 27 Jul 2025 |
 raitobezarius | i have 2 more M2 in the pipeline | 16:10:48 |
 emily | I have not measured it. I think it's not optimal but it's much better than in the pre-Apple Silicon days or on non-macOS hosts | 16:10:53 |
| raitobezarius | but I didn't set them up because Darwin sysadmin is not yet pleasant to me | 16:10:56 |
| raitobezarius | But also I can just have MDM on them | 16:11:07 |
| raitobezarius | So maybe it's fine to just reinit them daily or something? | 16:11:17 |
| raitobezarius | Thoug | 16:11:28 |
| raitobezarius | h | 16:11:29 |
| raitobezarius | The most most most important thing is abuse vector | 16:11:34 |
| raitobezarius | If we disable the sandbox and someone writes something in a test that will respawn a new task and DoS something | 16:11:54 |
| raitobezarius | it's annoying | 16:11:56 |
| raitobezarius | I guess, the VM technique here would close this down | 16:12:11 |
| emily | with _NIX_TEST_NO_SANDBOX=1 you allow setuid bits in builds again | 16:12:27 |
| emily | compared to even --option sandbox false | 16:12:32 |
| emily | that's basically the only change | 16:12:40 |
| raitobezarius | So, a VM is absolutely necessary in fact | 16:12:47 |
| emily | well I dunno. it's probably trivial to own the box with --option sandbox false already | 16:13:05 |
| emily | well | 16:13:24 |
| emily | "trivial" :) | 16:13:25 |
| raitobezarius | so dropping Darwin | 16:13:27 |
| emily | it's probably hard | 16:13:33 |
| emily | but it's somewhat scary still | 16:13:43 |
| raitobezarius | In reply to @gilice:matrix.org
sent a file. this is freaking awesome, thank you so much!! | 16:13:44 |
| emily | 2× VM per physical host, always rolled back between builds, is what would make me feel comfortable doing builds sans sandbox | 16:14:10 |
| emily | ofc this requires integration work with e.g. tart | 16:14:35 |
| raitobezarius | i mean one physical host cannot afford much more than one VM I think | 16:14:37 |
| emily | but shouldn't be too bad | 16:14:37 |
| raitobezarius | In reply to @emilazy:matrix.org
ofc this requires integration work with e.g. tart if you open an issue with pointers, i can take a look | 16:14:47 |
| raitobezarius | but i cannot embark on a self learning journey with tart :D | 16:14:55 |
| emily | then one job slot? | 16:14:59 |
| emily | if I context switch much more I'll drop the ball on stuff I need to do first :) but I will try to open an issue today | 16:15:23 |
