| 27 Jul 2025 |
 raitobezarius | I wonder if we should just build a test for it | 16:06:08 |
| raitobezarius | In reply to @emilazy:matrix.org
I don't know the threat model of the CI builders but it would be really nice to have sandbox testing by way of _NIX_TEST_NO_SANDBOX=1. CI builders lives themselves in a user namespace | 16:06:21 |
| raitobezarius | or on the baremetal for some of them | 16:06:26 |
 emily | macOS | 16:06:27 |
| emily | no such thing | 16:06:30 |
| raitobezarius | ah yes | 16:06:31 |
 K900 | The actual problem this fixed was some convoluted symlink setup that I forgot why it's like that | 16:06:33 |
| raitobezarius | for macOS, they live on the baremetal | 16:06:42 |
| raitobezarius | there's no true threat model | 16:06:44 |
| emily | so every tested build runs on persistent bare metal and the Nix sandbox isn't even turned on? | 16:07:00 |
| raitobezarius | In reply to @emilazy:matrix.org
so every tested build runs on persistent bare metal and the Nix sandbox isn't even turned on? I'm like almost certain that the Nix sandbox isn't even turned on on these builders yep | 16:07:19 |
| raitobezarius | Basically, all of this is blocked on Darwin sysadmin | 16:07:27 |
| emily | it's not because if it was you'd have caught the UDS regression 😆 | 16:07:33 |
| raitobezarius | sowwy | 16:07:42 |
| emily | even ofborg insisted on the sandbox to remove the allow list of users on Darwin :P | 16:07:46 |
| emily | but ok | 16:07:50 |
| raitobezarius | But if you open an issue in Lix regarding this | 16:07:54 |
| raitobezarius | and you put the requirements for the CI | 16:07:59 |
| raitobezarius | I can take a look once I have some Darwin sysadmin to dedicate | 16:08:05 |
| emily | why does that sound like it's going to get assigned to me? :) | 16:08:17 |
| raitobezarius | (I know I make you all open issues, but I swear we close them, right?) | 16:08:20 |
| emily | I put up https://gerrit.lix.systems/c/lix/+/3521 FWIW although I ran out of time box and didn't fix it | 16:08:26 |
| raitobezarius | In reply to @emilazy:matrix.org
why does that sound like it's going to get assigned to me? :) I doubt :P | 16:08:36 |
| raitobezarius | Root access to the CI builders is not a simple decision | 16:08:46 |
| emily | frankly, I am not sure what the actual desired threat model is so I'm not sure what the requirements would be to have Darwin sandbox testing without breaking it | 16:08:50 |
| emily | (I'm not even sure if running CI requires manual approval) | 16:09:18 |
| raitobezarius | What I'm planning to do to our CI builders is to have go through reinitialization daily or something | 16:09:21 |
| raitobezarius | So I am not afraid of about an attacker getting persistence | 16:09:44 |
| raitobezarius | Network isolation should be fine as well | 16:09:51 |
| emily | you could just have a macOS host that only runs a macOS VM and restores it to a snapshot before every build | 16:09:54 |
