| 28 Jul 2025 |
 EsperLily [she/her] | doesn't it? on darwin, no chroot means the sandbox is ```
(version 1)
(allow default) | 01:56:32 |
| EsperLily [she/her] | oops | 01:56:34 |
 raitobezarius (DECT: 7248) | In reply to @esperlily:matrix.org
doesn't it? on darwin, no chroot means the sandbox is ```
(version 1)
(allow default) yes and allow-setuid no | 01:56:45 |
| raitobezarius (DECT: 7248) | basically | 01:56:46 |
| EsperLily [she/her] | * doesn't it? on darwin, no chroot means the sandbox is ```
(version 1)
(allow default)
(deny file-write-setugid)
| 01:56:53 |
| EsperLily [she/her] | * doesn't it? on darwin, no chroot means the sandbox is (version 1) (allow default) (deny file-write-setugid) | 01:57:02 |
 jade_ | theres so many bugs that are just "lol someone needs to spend 2h finding them" that are massive impact :V | 01:57:11 |
| raitobezarius (DECT: 7248) | In reply to @raitobezarius:matrix.org
basically the problem is that chroot or no chroot doesn't tell me if there's a sandbox policy that prevent me from reading outside of the Nix store | 01:57:33 |
| raitobezarius (DECT: 7248) | or the build directory | 01:57:36 |
| raitobezarius (DECT: 7248) | so to simplify things, i can just assume that i can NEVER read outside of these directories | 01:57:46 |
| raitobezarius (DECT: 7248) | which would be the maximum sandbox policy applied | 01:57:54 |
| raitobezarius (DECT: 7248) | right? | 01:57:55 |
 emily | useChroot means "use sandbox" on macOS | 01:57:59 |
| raitobezarius (DECT: 7248) | (do note that it's 4am and i'm stupid) | 01:58:02 |
| raitobezarius (DECT: 7248) | In reply to @emilazy:matrix.org
useChroot means "use sandbox" on macOS there's only 2 levels of sandbox policy? | 01:58:18 |
| emily | unfortunately I have roughly a year's worth of 2 hour high-impact tasks to get through | 01:58:26 |
| raitobezarius (DECT: 7248) | i hate this boolean so hard | 01:58:28 |
| emily | three | 01:58:32 |
| raitobezarius (DECT: 7248) | so as soon sandbox is used, this is going to be fucked | 01:58:52 |
| EsperLily [she/her] | useChroot is initialized based off of the sandbox setting. it's true if sandbox is enabled, or if sandbox is relaxed and the derivation is input-addressed. it's false if sandbox is disabled | 01:59:05 |
| raitobezarius (DECT: 7248) | ok, I got a gist of the problem | 01:59:17 |
| raitobezarius (DECT: 7248) | I will try to fix this tomorrow | 01:59:20 |
| emily | I'm confused | 01:59:23 |
| emily | I think the current behaviour is fine? | 01:59:34 |
| emily | we copy on Linux and we copy on Darwin | 01:59:37 |
| raitobezarius (DECT: 7248) | let me just verify that the path we pass in the environment | 01:59:50 |
| raitobezarius (DECT: 7248) | are right | 01:59:51 |
| EsperLily [she/her] | my question there was just if we don't have chroot then the build should be able to read everything we can read, and so if we can read the caFile, then we should be able to just give that path to the build without copying the file | 01:59:57 |
| raitobezarius (DECT: 7248) | In reply to @esperlily:matrix.org
my question there was just if we don't have chroot then the build should be able to read everything we can read, and so if we can read the caFile, then we should be able to just give that path to the build without copying the file ok, but why do that optimization at all? | 02:00:24 |
| EsperLily [she/her] | but also, i put a comment on the cl (after merge) because there is a bug where you dropped the second param to pathAccessible(), which makes it check the wrong thing | 02:00:26 |
