| 15 Dec 2025 |
 emily | debugging | 20:52:26 |
| emily | vcunat:
shion:~
❭ log show --last 1h --predicate 'm:"CODE SIGNING"'
…
2025-12-15 20:55:10.515462+0000 0xff72dd Default 0x0 0 0 kernel: CODE SIGNING: cs_invalid_page(0x101594000): p=73322[python3.13] final status 0x23020200, denying page sending SIGKILL
2025-12-15 20:55:10.515472+0000 0xff72dd Default 0x0 0 0 kernel: CODE SIGNING: process 73322[python3.13]: rejecting invalid page at address 0x101594000 from offset 0x0 in file "/nix/store/ia2jjsl9ggscyy6ia8rn4k6pqd2zj12l-libxml2-2.15.1-py/lib/python3.13/site-packages/libxml2mod.cpython-313-darwin.so" (cs_mtime:1.0 == mtime:1.0) (signed:1 validated:1 tainted:1 nx:0 wpmapped:0 dirty:0 depth:0)
| 20:56:38 |
| emily | so, it's libxml2. | 20:56:54 |
| emily | I'm a bit worried by seeing two of these in one cycle, though… and I expect libxml2 might throw away quite some rebuilds, if only the Python stuff is broken. | 20:57:12 |
 vcunat | libxml2 rebuilds darwin stdenv... | 20:58:39 |
| vcunat | And this is on staging-next-25.11 which I was about merge to release-25.11 in minutes. | 20:59:11 |
| emily | the earlier libxml2s do | 20:59:21 |
| emily | I think the latest libxml2 isn't part of the stdenv. | 20:59:27 |
| vcunat | These are usually not trivial to distinguish. | 20:59:59 |
| vcunat | Though it this case it would be worth a try if the alternative would be to rebuild everything. | 21:00:41 |
| emily | something like env.REBUILD_HACK = lib.optionalString (stdenv.name == "stdenv-darwin") "sigh";, I think? | 21:00:57 |
| emily | oh: | 21:01:30 |
| emily | pythonSupport ? false,
| 21:01:31 |
| emily | we can probably just condition on that. | 21:01:37 |
| emily | want me to send a PR to check the rebuilds? | 21:01:42 |
| vcunat | Sounds like a good idea. | 21:12:46 |
| emily | https://github.com/NixOS/nixpkgs/pull/471151 | 21:13:04 |
| emily | 774 rebuilds. should be fine. | 21:28:30 |
| emily | vcunat: have you seen more than these couple of incidents lately? | 21:33:42 |
| vcunat | No. | 21:34:00 |
| emily | it's been a very deep abyss to try and figure out what causes those issues so it worries me if it's going to become a common problem | 21:34:30 |
| emily | but I guess it's incentive to dig deeper too :) | 21:34:36 |
| vcunat | But I tend to avoid darwin stuff. Here they were just significant staging-next* regressions which noone looked at. | 21:34:38 |
| vcunat | * But I tend to avoid darwin stuff, so I might've missed them easily. Here they were just significant staging-next* regressions which noone looked at. | 21:35:09 |
| emily | clean-up https://github.com/NixOS/nixpkgs/pull/471160 | 21:44:40 |
 Randy Eckenrode | That’s one that breaks frequently IME. | 22:14:14 |
| Randy Eckenrode | Maybe have a check that xmllint works? | 22:15:19 |
| emily | it seems to only be the Python one this time. | 22:22:31 |
| emily | a default fixup hook to check signing of every Mach-O seems like a good idea if we don't expect to fix the underlying issue soon. | 22:23:01 |
| emily | will try to review your pending PRs today btw | 22:24:24 |
