| 27 Jul 2025 |
 raitobezarius | did you notice files changing on the fly or not mid-builds? | 16:03:49 |
| raitobezarius | emily fwiw, i'm redoing the testing stuff | 16:04:10 |
 K900 | What | 16:04:22 |
| raitobezarius | i'm going to split into a sandboxed-ca.sh and unsandboxed-ca.sh test suite | 16:04:22 |
 emily | because of issues with Darwin sandbox testing? | 16:04:36 |
| raitobezarius | In reply to @k900:0upti.me
What https://git.lix.systems/lix-project/lix/commit/b469c6509ba616da6df8a27e4ccb205a877c66c9 | 16:04:36 |
| raitobezarius | In reply to @emilazy:matrix.org
because of issues with Darwin sandbox testing? because there's no such thing as building in a diverted store with Darwin | 16:04:49 |
| raitobezarius | and also because we cannot do sandbox indeed | 16:05:00 |
| emily | diverted store = chroot store? | 16:05:10 |
| raitobezarius | yep | 16:05:13 |
| raitobezarius | i got bitten by trying to test if repair worked on darwin as well like this yesterday | 16:05:24 |
 aloisw | In reply to @raitobezarius:matrix.org
so broken symlinks would surface as an exception and break the setup I think "broken symlink" may actually have been about the file being a symlink which is bound and the target not existing in the sandbox. | 16:05:39 |
| K900 | In reply to @raitobezarius:matrix.org
https://git.lix.systems/lix-project/lix/commit/b469c6509ba616da6df8a27e4ccb205a877c66c9 No | 16:05:48 |
| K900 | But I was worried it could happen | 16:05:53 |
| emily | I don't know the threat model of the CI builders but it would be really nice to have sandbox testing by way of _NIX_TEST_NO_SANDBOX=1. | 16:06:06 |
| raitobezarius | I wonder if we should just build a test for it | 16:06:08 |
| raitobezarius | In reply to @emilazy:matrix.org
I don't know the threat model of the CI builders but it would be really nice to have sandbox testing by way of _NIX_TEST_NO_SANDBOX=1. CI builders lives themselves in a user namespace | 16:06:21 |
| raitobezarius | or on the baremetal for some of them | 16:06:26 |
| emily | macOS | 16:06:27 |
| emily | no such thing | 16:06:30 |
| raitobezarius | ah yes | 16:06:31 |
| K900 | The actual problem this fixed was some convoluted symlink setup that I forgot why it's like that | 16:06:33 |
| raitobezarius | for macOS, they live on the baremetal | 16:06:42 |
| raitobezarius | there's no true threat model | 16:06:44 |
| emily | so every tested build runs on persistent bare metal and the Nix sandbox isn't even turned on? | 16:07:00 |
| raitobezarius | In reply to @emilazy:matrix.org
so every tested build runs on persistent bare metal and the Nix sandbox isn't even turned on? I'm like almost certain that the Nix sandbox isn't even turned on on these builders yep | 16:07:19 |
| raitobezarius | Basically, all of this is blocked on Darwin sysadmin | 16:07:27 |
| emily | it's not because if it was you'd have caught the UDS regression 😆 | 16:07:33 |
| raitobezarius | sowwy | 16:07:42 |
| emily | even ofborg insisted on the sandbox to remove the allow list of users on Darwin :P | 16:07:46 |
