| 27 Jul 2025 |
 raitobezarius (DECT: 7248) | with a FIXME for defending against UDS attacks | 14:28:04 |
 aloisw | https://git.lix.systems/lix-project/lix/commit/cf756fdf3c1a804af726703a12ed2990ad6c2639 | 14:30:02 |
| aloisw | According to the commit message here the motivation was avoiding broken symlinks, but the linked commit doing the same for resolv.conf also cites changing file. | 14:30:54 |
 emily | I feel like the store thing would achieve a comparable optimization across platforms while solving any UDS / file changing / etc. worries (but I should stop saying this because I suspect there is complexity to arranging the store copy that i'm just missing :) ) | 15:32:07 |
| emily | copying all the time sounds great to me if Linux has to do it too though :P | 15:32:24 |
| emily | how do you select a range of lines to comment on in Gerrit? | 15:58:20 |
| emily | I feel like I forget and have to remember how every time | 15:58:28 |
| emily | ah you select in the code rather than the gutter | 15:58:37 |
| raitobezarius (DECT: 7248) | In reply to @emilazy:matrix.org
copying all the time sounds great to me if Linux has to do it too though :P i mean, the optimization is dangerous for now :D | 16:01:33 |
| raitobezarius (DECT: 7248) | In reply to @aloisw:julia0815.de
According to the commit message here the motivation was avoiding broken symlinks, but the linked commit doing the same for resolv.conf also cites changing file. with my current proposal, bindPath would follow the symlink I believe | 16:02:37 |
| raitobezarius (DECT: 7248) | so broken symlinks would surface as an exception and break the setup | 16:02:44 |
| raitobezarius (DECT: 7248) | bindPath(source symlink, target, {.followSymlinks = true}) degrades to copyFile(source, target, {.followSymlinks = true}) actually | 16:03:12 |
| raitobezarius (DECT: 7248) | (with the createDirs in addition on the base dir) | 16:03:18 |
| raitobezarius (DECT: 7248) | but ok for the changing files | 16:03:38 |
| raitobezarius (DECT: 7248) | K900 explain yourself | 16:03:41 |
| raitobezarius (DECT: 7248) | did you notice files changing on the fly or not mid-builds? | 16:03:49 |
| raitobezarius (DECT: 7248) | emily fwiw, i'm redoing the testing stuff | 16:04:10 |
 K900 | What | 16:04:22 |
| raitobezarius (DECT: 7248) | i'm going to split into a sandboxed-ca.sh and unsandboxed-ca.sh test suite | 16:04:22 |
| emily | because of issues with Darwin sandbox testing? | 16:04:36 |
| raitobezarius (DECT: 7248) | In reply to @k900:0upti.me
What https://git.lix.systems/lix-project/lix/commit/b469c6509ba616da6df8a27e4ccb205a877c66c9 | 16:04:36 |
| raitobezarius (DECT: 7248) | In reply to @emilazy:matrix.org
because of issues with Darwin sandbox testing? because there's no such thing as building in a diverted store with Darwin | 16:04:49 |
| raitobezarius (DECT: 7248) | and also because we cannot do sandbox indeed | 16:05:00 |
| emily | diverted store = chroot store? | 16:05:10 |
| raitobezarius (DECT: 7248) | yep | 16:05:13 |
| raitobezarius (DECT: 7248) | i got bitten by trying to test if repair worked on darwin as well like this yesterday | 16:05:24 |
| aloisw | In reply to @raitobezarius:matrix.org
so broken symlinks would surface as an exception and break the setup I think "broken symlink" may actually have been about the file being a symlink which is bound and the target not existing in the sandbox. | 16:05:39 |
| K900 | In reply to @raitobezarius:matrix.org
https://git.lix.systems/lix-project/lix/commit/b469c6509ba616da6df8a27e4ccb205a877c66c9 No | 16:05:48 |
| K900 | But I was worried it could happen | 16:05:53 |
| emily | I don't know the threat model of the CI builders but it would be really nice to have sandbox testing by way of _NIX_TEST_NO_SANDBOX=1. | 16:06:06 |
