| 27 Jul 2025 |
 emily | even ofborg insisted on the sandbox to remove the allow list of users on Darwin :P | 16:07:46 |
| emily | but ok | 16:07:50 |
 raitobezarius | But if you open an issue in Lix regarding this | 16:07:54 |
| raitobezarius | and you put the requirements for the CI | 16:07:59 |
| raitobezarius | I can take a look once I have some Darwin sysadmin to dedicate | 16:08:05 |
| emily | why does that sound like it's going to get assigned to me? :) | 16:08:17 |
| raitobezarius | (I know I make you all open issues, but I swear we close them, right?) | 16:08:20 |
| emily | I put up https://gerrit.lix.systems/c/lix/+/3521 FWIW although I ran out of time box and didn't fix it | 16:08:26 |
| raitobezarius | In reply to @emilazy:matrix.org
why does that sound like it's going to get assigned to me? :) I doubt :P | 16:08:36 |
| raitobezarius | Root access to the CI builders is not a simple decision | 16:08:46 |
| emily | frankly, I am not sure what the actual desired threat model is so I'm not sure what the requirements would be to have Darwin sandbox testing without breaking it | 16:08:50 |
| emily | (I'm not even sure if running CI requires manual approval) | 16:09:18 |
| raitobezarius | What I'm planning to do to our CI builders is to have go through reinitialization daily or something | 16:09:21 |
| raitobezarius | So I am not afraid of about an attacker getting persistence | 16:09:44 |
| raitobezarius | Network isolation should be fine as well | 16:09:51 |
| emily | you could just have a macOS host that only runs a macOS VM and restores it to a snapshot before every build | 16:09:54 |
| raitobezarius | The only thing I am not sure about is abuse | 16:09:55 |
| emily | and EULA says you can run two of these at a time | 16:09:57 |
| emily | then compromise of the builder VM should be low impact | 16:10:08 |
| raitobezarius | how is the performance penalty of macOS virtualization on macOS? | 16:10:26 |
| emily | (but I don't know what the current concurrency is) | 16:10:29 |
| raitobezarius | we have 2 job slots for macOS right now | 16:10:39 |
| raitobezarius | it's our slowest machine type | 16:10:44 |
| raitobezarius | i have 2 more M2 in the pipeline | 16:10:48 |
| emily | I have not measured it. I think it's not optimal but it's much better than in the pre-Apple Silicon days or on non-macOS hosts | 16:10:53 |
| raitobezarius | but I didn't set them up because Darwin sysadmin is not yet pleasant to me | 16:10:56 |
| raitobezarius | But also I can just have MDM on them | 16:11:07 |
| raitobezarius | So maybe it's fine to just reinit them daily or something? | 16:11:17 |
| raitobezarius | Thoug | 16:11:28 |
| raitobezarius | h | 16:11:29 |
