<Enzime>
puffnfresh[m]: "slack" "Atlassian" can't tell if that has to do with the news announced today :p
<puffnfresh[m]>
Enzime: :)
jrolfs has quit [Ping timeout: 256 seconds]
jrolfs has joined #nix-darwin
andreabedini has joined #nix-darwin
hamishmack has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
jrolfs has quit [Ping timeout: 260 seconds]
philr has joined #nix-darwin
jrolfs has joined #nix-darwin
jrolfs has quit [Ping timeout: 264 seconds]
hamishmack has joined #nix-darwin
andreabedini has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
andreabedini has joined #nix-darwin
<angerman>
LnL: clever and I have been wondring just how pure darwin is? And we saw that it pulls in CoreFoundation impurely. Is there some document on the purity of nix-darwin?
hamishmack has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
FRidh has joined #nix-darwin
<LnL>
angerman: CoreFoundation is pure by default, but the frameworks are not, so if something depends on a framework we also switch CF because that can cause problems otherwise
<angerman>
LnL: I was thinking about build a cross ghc (linux -> mac) and was wondering if we had enough infra, to support that without constructing a macOS sdk (which could be questionable from a legal perspective)
<johnw_>
copumpkin made some huge efforts to purify darwin
<LnL>
angerman: the other impurity is Libsystem for which we use a shim that only exposes a set of known symbols, hiding the differences as much as possible
<angerman>
LnL: guess I would just have to try then.
<LnL>
the sdk packages don't contain anything, it's just a bunch of symlinks to the system locations
<clever>
LnL: one thing we did notice, we turned on the nix sandbox, and made a naked builtins.derivation, and bash failed to even start because the stdenv wasnt around to ask for impurities in the sandbox
<clever>
: Library not loaded: /usr/lib/system/libunc.dylib Referenced from: /nix/store/q819d3vjz7vswpvkrfa9gck3ys8rmvcj-Libsystem-osx-10.11.6/lib/libSystem.B.dylib Reason: no suitable image found
* clever
heads off to bed
<LnL>
yeah that's Libsystem like I mentioned
<clever>
so you can link against it purely, but not actually run the binary in a pure manner?
<LnL>
indeed
<clever>
that should be fine for a cross build, no way to run mach-o
<LnL>
it has a list of symbols but not their implementation
<LnL>
and Libsystem itself is an umbrella that exports a bunch of differen libraries
johnw_ is now known as johnw
johnw has quit [Changing host]
johnw has joined #nix-darwin
hamishmack has joined #nix-darwin
andreabedini has joined #nix-darwin
__Sander__ has joined #nix-darwin
andreabedini has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
philr has joined #nix-darwin
ben has quit [Ping timeout: 255 seconds]
<angerman>
so looks like you can't build `x509-system-1.6.6` on a sandboxed nix-darwin machine. Fails with `ld: file not found: /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation`
<LnL>
angerman: yes, the impure framework paths don't propagated correctly at the moment
<LnL>
sandboxing only works for pure stuff at the moment
<angerman>
LnL: is there a ticket with more details?
<LnL>
there's an issue about sandboxing, but not sure if there are any more details
<LnL>
the gist is that frameworks have special properties to open up the sandbox paths for specific stuff in /System/Library/Frameworks
<LnL>
however because they are just symlinks, stuff will link against /System/Library/Frameworks/Foundation.framework/Foundation directly and as a result nix doesn't know it's a runtime dependency
<LnL>
so anything that depends indirectly on a framework though an input won't have the sandbox opened up
periklis has joined #nix-darwin
philr has quit [Ping timeout: 240 seconds]
periklis has quit [Ping timeout: 240 seconds]
periklis has joined #nix-darwin
ben______ has joined #nix-darwin
periklis has quit [Ping timeout: 244 seconds]
periklis has joined #nix-darwin
periklis has quit [Remote host closed the connection]
adetokunbo has joined #nix-darwin
<adetokunbo>
hello!
<adetokunbo>
I am using the nix-unstable channel, and would like to pin my project to the current state of the channel.
<adetokunbo>
How do I figure out exactly what commit of nixpkgs I am using ?
philr has joined #nix-darwin
alexteves has joined #nix-darwin
<angerman>
LnL: thanks!
<LnL>
adetokunbo: nix-instantiate --eval '<nixpkgs>' -A lib.nixpkgsVersion
<LnL>
ugh, who keeps renaming this stuff!
<adetokunbo>
LnL: cool that works!
<LnL>
the part after the period is the commit
the has joined #nix-darwin
the has quit [Changing host]
the has joined #nix-darwin
the has quit [Remote host closed the connection]
the has joined #nix-darwin
the has quit [Changing host]
the has joined #nix-darwin
ejpcmac has joined #nix-darwin
__Sander__ has quit [Quit: Konversation terminated!]
philr has quit [Ping timeout: 244 seconds]
Sonarpulse has joined #nix-darwin
ben______ is now known as ben
<johnw>
anyone know what the story is with this on nixpkgs master:
<johnw>
error: attribute 'pkgs' missing, at /Users/johnw/src/nix/nixpkgs/pkgs/development/compilers/llvm/5/llvm.nix:37:43
<johnw>
is this something I've done, or is master fully broken on darwin at the moment?
<LnL>
Sonarpulse: ^ all the llvmPackages libraries/tools stuff in the stdenv is really confusing
<Sonarpulse>
LnL: yeah it is
<Sonarpulse>
if you build the man pages, it's simpler
<Sonarpulse>
but it brings in python n crap
<Sonarpulse>
I didn't want to make the call
<LnL>
not about the manpages
<LnL>
all the crazy overriding
<LnL>
can't we add a function for that?
* LnL
overrides the overriden overrides with great success
<ejpcmac>
Hi all! I’m a few days into Nix and nix-darwin now, and I find the concept really great :)
<ejpcmac>
I have a question though: I see there is a option named `nix.useSandbox`, which seems a good thing to enable since Nix is about reproducible builds. However, when I enable it and then try to `nix-env --upgrade`, I get an error: `derivation '/nix/store/***-user-environment.drv' specifies a sandbox profile, but this is only allowed when 'sandbox' is 'relaxed'`.
<ejpcmac>
The question is: why?
<ejpcmac>
And a derivative of this question is: how can I fix that? I assume having `nix.useSandbox = true;` is generally a good thing. What does `relaxed` implies? Do I get impurity with it? At what extent?
<johnw>
LnL: what's the fix?
<LnL>
euh, I think my ball chair just popped because of the heat
<LnL>
johnw: I'll make a pr, but you should be able to use llvm.override { man = null; } as a workaround
<johnw>
kk
<LnL>
overrideAttrs I mean
<johnw>
doesn't help
<johnw>
i'll have to make an overlay for llvm
<LnL>
your systemPackages should be the only thing that references it
<LnL>
but, for sandboxing in general there's still an issue with the way we (impurely) use system frameworks
<ejpcmac>
Thanks! But now using a "relaxed" profile just to try I get: `building '/nix/store/***-user-environment.drv'...
<ejpcmac>
libc++abi.dylib: terminating with uncaught exception of type nix::SysError: getting status of /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt: Operation not permitted`
<LnL>
wut
<LnL>
why is it looking at thatt
<ejpcmac>
I just did (1) set `nix.useSandbox = "relaxed"`, (2) `darwin-rebuild switch` and (3) `nix-env --update`.
<ejpcmac>
If I comment out the sandbox config, switch and call again `nix-env --update`, it works as expected
<LnL>
yeah, I'm not sure if relaxed still works
<ejpcmac>
It seems there is some impurity in there :(
<LnL>
but that's not the error I'd expect
<ejpcmac>
I don’t get really what "relaxed" does indeed
<LnL>
the idea behind relaxed was to decouple the sandbox profiles from nix
<LnL>
so any build can request paths to be opened up
<LnL>
that helps with build purity but not security
<ejpcmac>
Ok, and when it is false, all base system libraries are visible during builds?
<ejpcmac>
False is like a standard nix-shell, true a nix-shell --pure and relaxed something between?
<LnL>
no
<LnL>
false is more like nix-shell --pure
<LnL>
while enabling the sandbox provides much more isolation
<ejpcmac>
Ok
<ejpcmac>
Completely different question, but how do you manage upgrades with nix-darwin? When are system-wide packets updated?
<dhess>
Are sandboxed builds working in Darwin again?
<dhess>
oh I see from earlier that it doesn't really.
<LnL>
the problem is that --pure only clears the environment, if a certain project decides to look in /usr/local anyway because that's where software is installed right? it might find eg. homebrew variants of libraries you might have accidentally have available and try to use those
<LnL>
with sandboxing builds are _never_ allowed to look in /usr/local so if they try it either fails or looks like there's nothing there
<ejpcmac>
I see. And the sandboxing avoids this by doing a chroot? And is it effective when you are in a nix-shell too?
<LnL>
nix-shell isn't influenced by sandboxing
<LnL>
it's intended for development or debugging in which case you might want to access some extra tools etc.
<LnL>
as for nix-darwin, switch applies your current configuration, there's no conceptual difference between update, upgrade or rollback
<ejpcmac>
So let’s say I have a set of packages that got installed at a given version at a point of time. Now, I did not make any changes on my configuration but some package has a new version available upstream. If I switch, it gets updated. Right?
<LnL>
the versions of packages are determined by nixpkgs, if you manage that with nix-channel (probably the case) then use that to update/rollback
<ejpcmac>
So I have to do a `nix-channel --update`, then `darwin-rebuild switch` to re-apply the configuration with the updated channel?
<Sonarpulse>
LnL: pong
<LnL>
exactly
<Enzime>
LnL: trying to get mpv building on macOS again