| 14 Jun 2026 |
 Randy Eckenrode | I got Wine to build. It doesn’t work. I tried adding the entitlements discussed at https://x.com/Lina_Hoshino/status/2046437088997130488, but macOS kills the process saying they’re restricted. I even signed with my developer certificate instead of an ad hoc signature. I didn’t try disabling SIP, but I don’t think any option that requires disabling SIP is viable. | 18:00:26 |
 eureka-cpu | Is there a blessed way of shipping macos launchd agents and binaries with nix, or is it best to just follow apple's instructions for installers? | 20:13:03 |
| eureka-cpu | For non-nix users* | 20:15:15 |
| 15 Jun 2026 |
| Randy Eckenrode | I will probably push my Wine cleanups later today, but here are a couple of fixes I needed along the way:
- https://github.com/NixOS/nixpkgs/pull/531959
- https://github.com/NixOS/nixpkgs/pull/531960
| 13:30:50 |
 debtquity | this is just a sandbox on darwin issue, right?
(from nixpkgs-review-gha)
2026-06-15T12:06:34.1835410Z stalwart> thread 'smtp::inbound::basic::basic_commands' (400423) panicked at tests/src/lib.rs:49:13:
2026-06-15T12:06:34.1836360Z stalwart> Errors: [
2026-06-15T12:06:34.1836770Z stalwart> Build {
2026-06-15T12:06:34.1837220Z stalwart> object_id: ObjectId {
2026-06-15T12:06:34.1837780Z stalwart> object: DnsResolver,
2026-06-15T12:06:34.1838340Z stalwart> id: Id(
2026-06-15T12:06:34.1838820Z stalwart> 20080258862541,
2026-06-15T12:06:34.1839370Z stalwart> ),
2026-06-15T12:06:34.1839810Z stalwart> },
2026-06-15T12:06:34.1842000Z stalwart> message: "Failed to read system DNS config: failed to access System Configuration dynamic store",
2026-06-15T12:06:34.1843420Z stalwart> },
2026-06-15T12:06:34.1843820Z stalwart> ]
| 21:46:31 |
| debtquity | can't seem to reproduce locally, even though sandbox is enabled | 21:47:05 |
| debtquity | ahh at some point i disabled sandbox on local machine. oof | 21:59:30 |
|  danieroux changed their profile picture. | 23:54:34 |
| danieroux changed their profile picture. | 23:57:13 |
| 16 Jun 2026 |
 hexa | Ihar Hrachyshka https://github.com/NixOS/nixpkgs/pull/532035#issuecomment-4713594147 | 00:11:53 |
 Ihar Hrachyshka | hexa: only 25.11 or later branches too | 01:14:38 |
| hexa | just 25.11 | 01:14:49 |
| Ihar Hrachyshka | I'll check today | 01:18:25 |
| Ihar Hrachyshka | hexa: i assume we don't want to bring a new apple sdk to this near-eol branch?
we can revert the patch that adopted 26.4 sdk to enable some specific yubikey web auth path. Since it was broken in 151, no regression expected.
| 03:31:34 |
| debtquity | does anybody have a sane process of debugging which policies need to be added to sandboxProfile? I have tried using this while the build is running:
/usr/bin/log stream --info --debug --predicate '(process == "sandboxd") && (subsystem == "com.apple.sandbox.reporting")'
and then proceeded to whitelist all matching policies. But on a subsequent rebuild, the tests continue to fail in the sandbox despite adding them to sandboxProfile
| 08:03:34 |
| debtquity | I have even tried working backwards by tracing the log statement back to the underlying library:
https://github.com/hickory-dns/hickory-dns/blob/f09321075b1f97902b7bc4ca4ffda7816fcf2971/crates/resolver/src/system_conf/apple.rs#L20-L21
But I can't make heads or tails on how to white list "State:/Network/Global/DNS" in sandboxProfile. I can't find any halfway decent documentation on sandboxd or sandbox-exec
| 08:07:25 |
 viraptor | Add (allow (with report)) at the end of your profile and you'll see in the log what would be denied otherwise, but it won't get blocked. | 08:08:34 |
| debtquity | I put that in sandboxProfile or you mean a custom .sb profile? | 08:09:48 |
| viraptor | I think you can do either... A custom profile will definitely work, can't remember the sandboxProfile behaviour. | 08:11:54 |
| debtquity | okay - will this query catch it?
/usr/bin/log stream --info --debug --predicate '(process == "sandboxd") && (subsystem == "com.apple.sandbox.reporting")'
| 08:13:00 |
| viraptor | I'm not near anything that can check. But you can start without filtering and then just narrow down to where the "allow" lines are coming from. | 08:20:22 |
| viraptor | There's a constant stream of sandbox allows and violations on a normal system, so you'll see them. | 08:20:50 |
| debtquity | seems it doesn't allow me to use (allow (with report)) by itself have to use:
(allow mach-lookup (global-name "com.apple.logd")(with report))
| 08:32:32 |
 WeetHet | (allow mach-lookup (global-name "com.apple.SystemConfiguration.DNSConfiguration"))
(allow file-read* (literal "/private/etc/hosts"))
Would this be enough?
| 14:25:08 |
| debtquity | thanks, trying one last time with this and a more generic filter query:
/usr/bin/log stream --info --debug --predicate '(process == "sandboxd")'
I tried the (allow ... (with report)) to find what was initially being denied but in the end those events were not logged for some reason.
I have darwin-log-sandbox-violations = true in nix.conf, but still the same result. I even added multiple (allow file*|file-read*|... (with report)) to sandboxProfile in hopes of catching something, but in the end it was treated as a general allow and those events were not even logged :/. It did allow the build and tests to succeed though
| 16:44:54 |
|  @d86leader:matrix.org left the room. | 16:47:24 |
| debtquity | so this was close, but after tweaking my log predicate to search for anything cargo related (note: sandbox is actually run under the kernel and not sandboxd). sandbox was preventing mach-lookup to "com.apple.SystemConfiguration.configd". Which is what the FFI ultimately uses to lookup any network settings (dns, proxy, ...) | 20:17:26 |
| debtquity | such a pain in the ass. i'll create a wiki page for this later. | 20:18:05 |
| 17 Jun 2026 |
| WeetHet | Damn, wrong patch, I guess
https://tangled.org/weethet.eurosky.social/nix-dotfiles-flakes/blob/main/modules/by-name/li/lix-overlay/0004-sandbox-fod.patch | 12:01:17 |
|  Easy6 joined the room. | 22:27:50 |
