| 12 Jul 2025 |
 emily | what are the reasons? | 10:59:42 |
 raitobezarius | I don't have my notes / laptop with me and I don't remember, let me get back to you on Sunday or Monday if that's ok | 11:03:32 |
|  @georgyo:nycr.chat joined the room. | 20:28:41 |
| 13 Jul 2025 |
 Sergei Zimmerman (xokdvium) | Lix still does the fork hack in the bindConnectProcHelper, to work around the darwin unix socket path limitations? https://github.com/lix-project/lix/blob/2090853b8026ebac17eae181e36bd68ca1f424f2/lix/libutil/unix-domain-socket.cc#L69-L85
At least in cppnix this code path is now being exercised with the build-dir changes (as emily noted above).
The curious thing is that with the darwin sandbox bind to the socket fails with EPERM in the forked process with the "relaxed" and full sandbox.
Any clue what's going on there?
| 15:03:45 |
| emily | might be https://gerrit.lix.systems/c/lix/+/3500? | 15:05:33 |
| emily | if you're testing the daemon inside a build, that is | 15:05:55 |
| Sergei Zimmerman (xokdvium) | Thanks, I have no clue what that didn't get merged to cppnix. Thanks | 15:06:35 |
| emily | I think Lix shipped without it too so Unix sockets in the build sandbox probably don't get enough QA 😅 | 15:10:22 |
| emily | you can't nest the Darwin sandbox, and even "unsandboxed" builds set up a basic sandbox with the macOS API, so it has basically no CI coverage | 15:10:47 |
| emily | https://gerrit.lix.systems/c/lix/+/3521 was an attempt to make a test you could at least run under _NIX_TEST_NO_SANDBOX but I couldn't get it to function | 15:11:28 |
|  Marie changed their profile picture. | 20:12:29 |
| 14 Jul 2025 |
 jade_ | raitobezarius: anything I have to do to make forward progress on https://gerrit.lix.systems/c/lix/+/3633? I would like to get at least an initial configuration of codeowners in place so that I don't have to keep messing with owners overrides if possible. | 05:27:20 |
| jade_ | (oh the reason it was not seeing my default codeowner entry to begin with was that I didn't have jade@lix.systems registered as a gerrit email. woops. fixed) | 05:31:12 |
| jade_ | * (oh the reason it was not seeing my default codeowner entry to begin with was that I didn't have jade@lix.systems registered as a gerrit email. woops. fixed. that fixes the owners override shenanigans but i still would like to permit more reviewers) | 05:47:45 |
| raitobezarius | In reply to @jade_:matrix.org
raitobezarius: anything I have to do to make forward progress on https://gerrit.lix.systems/c/lix/+/3633? I would like to get at least an initial configuration of codeowners in place so that I don't have to keep messing with owners overrides if possible. Will review today yes | 08:49:25 |
| raitobezarius | jade_ sent +2 for the changes | 11:24:13 |
| raitobezarius | we can figure out what we want to be with the reviewer list as we go | 11:24:26 |
| raitobezarius | my biggest aim is to reduce the toil on active reviewers like pennae or me who has to subscribe to the firehose right now | 11:24:41 |
|  vai joined the room. | 16:20:25 |
| 15 Jul 2025 |
| raitobezarius | aloisw you asked about CVE details — https://labs.snyk.io/resources/nixos-deep-dive/ | 13:36:00 |
| raitobezarius | this doesn't cover yet CVE-2025-46416 | 13:36:06 |
 aloisw | Thank you. Is my understanding correct that CVE-2025-52991 only applies once you already have the directory emptying (or otherwise deletion of the build directory)? | 15:05:58 |
| aloisw | In which case it is unclear how the additional directory layer helps. | 15:06:43 |
| raitobezarius | jade_ fwiw, i think the email setup has ceased to function | 17:47:10 |
| raitobezarius | i ceased receiving any emails including your reviews you performed on pennae's chain today | 17:47:18 |
| raitobezarius | unfortunately too low energy to jump on the problem | 17:47:26 |
| raitobezarius | cc emily if you do have some time to spare on this (no hurry ofc) | 17:47:36 |
 emily | uh sure, can look into this if jade is currently away/afk | 17:51:26 |
| raitobezarius | In reply to @aloisw:julia0815.de
Thank you. Is my understanding correct that CVE-2025-52991 only applies once you already have the directory emptying (or otherwise deletion of the build directory)? CVE-2025-52991 is one of the primitive that is used in the attack chain, yes | 17:51:29 |
| raitobezarius | it doesn't "apply" because it's not an attack by itself | 17:51:36 |
