| 19 Sep 2025 |
 raitobezarius (DECT: 7248) | sometimes not even under our control (e.g. kernel bug) | 09:45:16 |
 Yureka (she/her) | for the sandbox shell, isn't the option to embed it just on top of the ability to change it at run-time later? | 09:46:23 |
| raitobezarius (DECT: 7248) | #if HAVE_EMBEDDED_SANDBOX_SHELL
if (i.second.source == "__embedded_sandbox_shell__") {
static unsigned char sh[] = {
#include "embedded-sandbox-shell.gen.hh"
};
auto dst = chrootRootDir + i.first;
createDirs(dirOf(dst));
writeFile(dst, std::string_view((const char *) sh, sizeof(sh)));
chmodPath(dst, 0555);
} else
#endif
bindPath(i.second.source, chrootRootDir + i.first, i.second.optional);
| 09:47:05 |
| raitobezarius (DECT: 7248) | #if defined(__linux__) && defined(SANDBOX_SHELL)
sandboxPaths.setDefault(tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL));
#endif
| 09:47:33 |
| raitobezarius (DECT: 7248) | correct | 09:47:34 |
| raitobezarius (DECT: 7248) | there's a runtime composition | 09:47:39 |
| raitobezarius (DECT: 7248) | sounds like we could do mostly the same | 09:47:47 |
| raitobezarius (DECT: 7248) | except that this time, this is not about writing a binary in the sandbox | 09:47:53 |
| raitobezarius (DECT: 7248) | but executing a binary which is mapped in our memory | 09:48:02 |
| Yureka (she/her) | sounds good | 09:48:16 |
| * raitobezarius (DECT: 7248) nods | 09:48:20 |
| Yureka (she/her) | I can take on this task and create a patch | 09:49:04 |
| raitobezarius (DECT: 7248) | thanks! | 09:53:02 |
| Yureka (she/her) | summarized the thing here https://git.lix.systems/lix-project/lix/issues/996 | 09:56:04 |
| Yureka (she/her) | and assigned myself | 09:56:16 |
 aloisw | It would only be unconditional for static builds with built-in pasta. But given that the sandbox shell also has a runtime option after all we could support (and default to) pasta-path = __embedded_pasta__ similarly in this case. | 11:44:38 |
|  bl1nk changed their profile picture. | 15:22:59 |
| bl1nk changed their profile picture. | 15:25:08 |
| 21 Sep 2025 |
 K900 | Can someone remind me why the flake is pinned to an old capnproto? | 16:39:22 |
| K900 | OK I don't think the old is intentional | 16:52:29 |
| raitobezarius (DECT: 7248) | not intentional but we have patches on capnp | 16:53:40 |
| K900 | Those are in 1.2.0 AFAICT | 16:53:47 |
| K900 | And so is cmake 4 compat | 16:53:53 |
| raitobezarius (DECT: 7248) | go for it | 17:05:36 |
| raitobezarius (DECT: 7248) | but double check for 1.2.0 and the patch | 17:05:41 |
| K900 | Double checking yes | 17:07:07 |
| K900 | I'm actually unvendoring it entirely | 17:07:18 |
| K900 | Because nixpkgs is fine now | 17:07:21 |
| K900 | https://gerrit.lix.systems/c/lix/+/4211 | 17:33:15 |
| raitobezarius (DECT: 7248) | K900: well i guess you missed the patch | 17:47:01 |
