| 26 Jul 2025 |
 emily | it does not | 01:31:37 |
 raitobezarius | so… logicalTargetPath needs to be coerced to the physical location path if we cannot chroot at all | 01:31:42 |
| raitobezarius | and… that should be sufficient, right? | 01:31:55 |
| emily | I believe you're going to recreate the complexity of https://gerrit.lix.systems/c/lix/+/2906 that lead to the store path proposal | 01:32:00 |
| raitobezarius | (and the variable should be renamed) | 01:32:02 |
| raitobezarius | In reply to @emilazy:matrix.org
I believe you're going to recreate the complexity of https://gerrit.lix.systems/c/lix/+/2906 that lead to the store path proposal why would that whole canonicalization be required at all | 01:32:34 |
| raitobezarius | if the CA file appears inside the scratch path of the derivation being built | 01:32:45 |
| raitobezarius | that whole canonicalization seems to intervene without trying to copying the CA file and just giving access to it | 01:33:13 |
| raitobezarius | or am I missing something? | 01:33:25 |
| raitobezarius | put in another way: canonicalization takes place in XNU which will perform POSIX path resolution for me when I copy the file inside the scratch path
all I need to do: get right the logicalTargetPath to export | 01:34:19 |
| raitobezarius | reminder: I copy before entering into the sandbox | 01:34:25 |
| raitobezarius | (-2ed with your remark) | 01:35:18 |
| emily | okay, yes, that solves canonicalization | 01:35:19 |
| emily | this is copying 500 KiB+ on every FOD however | 01:35:38 |
| emily | I would expect that to have measurable perf impact but I'm not certain | 01:35:54 |
| raitobezarius | on Darwin only | 01:36:01 |
| raitobezarius | hmmm | 01:36:21 |
| raitobezarius | I see two family of users of caFile | 01:36:52 |
| raitobezarius | corporate users with their corporate VPN | 01:36:56 |
| raitobezarius | and | 01:36:57 |
| raitobezarius | debugging users with their interception CA | 01:37:03 |
| raitobezarius | The latter doesn't really care about performance I would imagine | 01:37:41 |
| emily | it is set for every nix-darwin user | 01:37:46 |
| raitobezarius | In reply to @emilazy:matrix.org
it is set for every nix-darwin user oh god | 01:37:53 |
| emily | this is the correct thing to do | 01:37:58 |
| emily | Nixpkgs using its own cacert is bad | 01:38:04 |
| emily | we should move to a world where every user has their certs injected | 01:38:12 |
| raitobezarius | I mean, I see both sides of the arguments | 01:38:27 |
| emily | reproducibility of old Nixpkgs can suffer from hosts moving to CAs that didn't exist at the time | 01:38:29 |
| raitobezarius | We have cacert maintainer in this room : > | 01:38:32 |
