| 28 Jul 2025 |
 emily | and also I'm pretty sure we can just tighten sandbox = true without another flag because it's already a pain | 02:05:41 |
| emily | but someone has to throw stdenv to channel blockers at it or something | 02:06:03 |
| emily | and actually triage the issues | 02:06:09 |
| emily | it's always easy per package but it adds up | 02:06:13 |
| emily | stuff like getting /tmp out would be tedious but doable | 02:06:33 |
 EsperLily [she/her] | yeah i have no idea who thought it was a good idea to say "relaxed means don't sandbox the FODs" since what it should mean is "enable the escape hatches like __sandboxProfile and __noChroot so derivations can opt in to weakening protections" | 02:06:36 |
 jade_ | https://git.lix.systems/lix-project/lix/issues/936 | 02:20:18 |
| EsperLily [she/her] | hey here's a thought, if the cacert file is actually a store file (if you resolve the path), we could just hard-link it instead of copying it (though this probably only works for chroot, since you're using tmpDir otherwise and there's no guarantee that's on the same volume; you could also perhaps just use chrootRootDir even without chroot though?) | 02:22:26 |
| jade_ | i don't like this because i think it could equivalently be solved without more implementation complexity by a better file copy function | 02:24:26 |
 raitobezarius | In reply to @esperlily:matrix.org
hey here's a thought, if the cacert file is actually a store file (if you resolve the path), we could just hard-link it instead of copying it (though this probably only works for chroot, since you're using tmpDir otherwise and there's no guarantee that's on the same volume; you could also perhaps just use chrootRootDir even without chroot though?) cacert is not a store file in general | 02:24:46 |
| EsperLily [she/her] | it should be on NixOS and nix-darwin? | 02:24:56 |
| raitobezarius | i'm mostly thinking about all the corporate usecases with their zscaler ca that comes from elsewhere | 02:25:20 |
| emily | I still think "add it to the store (potentially with optimization to not needlessly re-add an existing store path)" is the ~optimal solution modulo complexity | 02:25:21 |
| jade_ | and also lix on normal macos i think, since cacert goes into the system profile | 02:25:44 |
| raitobezarius | NixOS already does something quite different | 02:25:47 |
| raitobezarius | which does not make any use of ssl-cert-file today? | 02:25:55 |
| raitobezarius | nix-darwin does use ssl-cert-file and possibly this is a store path yeah | 02:26:07 |
| jade_ | for CoW filesystems (most modern fs), if our file copy is implemented correctly we can just have the copy be equivalent to hardlink | 02:26:11 |
| raitobezarius | in practice | 02:26:20 |
| raitobezarius | copying from /etc to /nix/var/nix/builds/ may or may not end up being optimized away | 02:26:39 |
| jade_ | i also agree that importing to the store should be able to be fast | 02:26:42 |
| jade_ | and is definitely a good way to remove edge cases from the sandbox setup code | 02:27:17 |
| raitobezarius | importing to the store introduces other complexities | 02:27:45 |
| raitobezarius | but EsperLily [she/her] do you perceive there will be a performance issue with this whole thing? | 02:29:53 |
| emily | the bind mount in the store makes this stuff weird | 02:29:56 |
| emily | * the bind mount of the store makes this stuff weird | 02:29:59 |
| raitobezarius | i don't question the possibility for optimizations in the future | 02:30:01 |
| EsperLily [she/her] | it looks like this ultimately uses std::filesystem::copy. i sure hope that will use the appropriate call to make a copy-on-write clone, but that entirely depends on the std impl | 02:30:01 |
| raitobezarius | but 500KB copied on every FOD doesn't seem THAT problematic yet to me | 02:30:17 |
| raitobezarius | like the most it could do is add some latency I'd say | 02:31:09 |
