In reply to @esperlily:matrix.org
but also, i put a comment on the cl (after merge) because there is a bug where you dropped the second param to pathAccessible(), which makes it check the wrong thing

                        // Copy the actual file, not the symlink, because we don't know where
                        // the symlink is pointing, and we don't want to chase down the entire
                        // chain.
                        //
                        // This means if your network config changes during a FOD build,
                        // the DNS in the sandbox will be wrong. However, this is pretty unlikely
                        // to actually be a problem, because FODs are generally pretty fast,
                        // and machines with often-changing network configurations probably
                        // want to run resolved or some other local resolver anyway.
                        //
                        // There's also just no simple way to do this correctly, you have to manually
                        // inotify watch the files for changes on the outside and update the sandbox
                        // while the build is running (or at least that's what Flatpak does).
                        //
                        // I also just generally feel icky about modifying sandbox state under a build,
                        // even though it really shouldn't be a big deal. -K900
…
                        // For the same reasons as above, copy the CA certificates file too.
                        // It should be even less likely to change during the build than
                        // resolv.conf.

In reply to @esperlily:matrix.org
why spend time copying the file on every FOD build when we could just not copy it?

In reply to @esperlily:matrix.org
i mean what i'm suggesting would be unsandboxed Linux too, though i don't know who actually runs without the sandbox on Linux