| 27 Jul 2025 |
 raitobezarius | i got bitten by trying to test if repair worked on darwin as well like this yesterday | 16:05:24 |
 aloisw | In reply to @raitobezarius:matrix.org
so broken symlinks would surface as an exception and break the setup I think "broken symlink" may actually have been about the file being a symlink which is bound and the target not existing in the sandbox. | 16:05:39 |
 K900 | In reply to @raitobezarius:matrix.org
https://git.lix.systems/lix-project/lix/commit/b469c6509ba616da6df8a27e4ccb205a877c66c9 No | 16:05:48 |
| K900 | But I was worried it could happen | 16:05:53 |
 emily | I don't know the threat model of the CI builders but it would be really nice to have sandbox testing by way of _NIX_TEST_NO_SANDBOX=1. | 16:06:06 |
| raitobezarius | I wonder if we should just build a test for it | 16:06:08 |
| raitobezarius | In reply to @emilazy:matrix.org
I don't know the threat model of the CI builders but it would be really nice to have sandbox testing by way of _NIX_TEST_NO_SANDBOX=1. CI builders lives themselves in a user namespace | 16:06:21 |
| raitobezarius | or on the baremetal for some of them | 16:06:26 |
| emily | macOS | 16:06:27 |
| emily | no such thing | 16:06:30 |
| raitobezarius | ah yes | 16:06:31 |
| K900 | The actual problem this fixed was some convoluted symlink setup that I forgot why it's like that | 16:06:33 |
| raitobezarius | for macOS, they live on the baremetal | 16:06:42 |
| raitobezarius | there's no true threat model | 16:06:44 |
| emily | so every tested build runs on persistent bare metal and the Nix sandbox isn't even turned on? | 16:07:00 |
| raitobezarius | In reply to @emilazy:matrix.org
so every tested build runs on persistent bare metal and the Nix sandbox isn't even turned on? I'm like almost certain that the Nix sandbox isn't even turned on on these builders yep | 16:07:19 |
| raitobezarius | Basically, all of this is blocked on Darwin sysadmin | 16:07:27 |
| emily | it's not because if it was you'd have caught the UDS regression 😆 | 16:07:33 |
| raitobezarius | sowwy | 16:07:42 |
| emily | even ofborg insisted on the sandbox to remove the allow list of users on Darwin :P | 16:07:46 |
| emily | but ok | 16:07:50 |
| raitobezarius | But if you open an issue in Lix regarding this | 16:07:54 |
| raitobezarius | and you put the requirements for the CI | 16:07:59 |
| raitobezarius | I can take a look once I have some Darwin sysadmin to dedicate | 16:08:05 |
| emily | why does that sound like it's going to get assigned to me? :) | 16:08:17 |
| raitobezarius | (I know I make you all open issues, but I swear we close them, right?) | 16:08:20 |
| emily | I put up https://gerrit.lix.systems/c/lix/+/3521 FWIW although I ran out of time box and didn't fix it | 16:08:26 |
| raitobezarius | In reply to @emilazy:matrix.org
why does that sound like it's going to get assigned to me? :) I doubt :P | 16:08:36 |
| raitobezarius | Root access to the CI builders is not a simple decision | 16:08:46 |
| emily | frankly, I am not sure what the actual desired threat model is so I'm not sure what the requirements would be to have Darwin sandbox testing without breaking it | 16:08:50 |
