ris has quit [Ping timeout: 246 seconds]
kyren has quit [Ping timeout: 258 seconds]
hamishmack has quit [Remote host closed the connection]
veske has joined #nix-darwin
hmpffff has joined #nix-darwin
<hmpffff> Moin Moin. Is somebody here?
<LnL> sup
veske has quit [Quit: This computer has gone to sleep]
hmpffff has quit [Quit: Bye…]
hmpffff has joined #nix-darwin
<clever> LnL: you familiar with the ranlib cryptlib.o problem, and load command 1?
<LnL> not sure, what's the context?
<clever> LnL: when building a haskell project on darwin, and i think it links to openssl, it fails on some machines and works on others
<clever> LnL: when using the exact same drv file
<clever> object: dist/build/libHScardano-sl-crypto-3.0.2-2v9S0RiwSU6HEHEe02tDyo-ghc8.4.4.a(cryptlib.o) malformed object (unknown load command 1)
<clever> cryptlib.o is part of openssl, but strangely, that string does not appear anywhere in /nix/store/
<clever> load command 1 is for 32bit files, so the error makes sense, a 32bit .o was given to a 64bit linker
<clever> but, this exact same .drv file works on another mac
<LnL> hmm
<LnL> anything like xcode or CLT installed?
<clever> LnL: on the broken machine, maybe
<LnL> try with sandboxing
<LnL> --option sandbox true --option extra-sandbox-paths '/System/Library/Frameworks /System/Library/PrivateFrameworks /usr/lib /private/tmp /private/var/tmp /usr/bin/env'
* LnL should finish his sandbox testing project
<clever> LnL: `--option sandbox true` was enough to fix it
<LnL> ah, no implicit framework dependencies then :)
<LnL> I think >90% of builds work without the extra paths
<clever> builder for '/nix/store/llr95r91qllsfapzgyfqdj7q9xs8fv7i-cardano-sl-crypto-test-3.0.2.drv' failed with exit code 1
<clever> the tests also needed sandbox=true
<clever> nix.conf to the rescue!
<LnL> I'm not sure if anybody else has been using it, but I've only ran into a handful of issues since my initial fixes
<clever> ld: file not found: /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
<clever> a few derivations later, it fails
<clever> should be easy enough to fix, just one path
<LnL> yeah, the current model doesn't really work for frameworks
<LnL> the sandbox is opened up at build time, but because it's an impure path nix doesn't know it's a runtime dependency
<LnL> with a -> b -> framework, b builds fine but a can't use b
hmpffff has quit [Quit: Bye…]
<clever> LnL: i'm not sure why this even needs corefoundation
<LnL> there's probably a framework in the closure somewhere
<LnL> otherwise it would link against our build instead
<clever> -sh-3.2# grep -r --color CoreFound $(nix-store -qR /nix/store/0pp2l06w3cln7295syghg7jc57gzqh6x-daedalus.drv)
<clever> ,("__impureHostDeps","/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation /bin/sh /usr/lib/libSystem.B.dylib /usr/lib/system/libunc.dylib /dev/zero /dev/random /dev/urandom /bin/sh"),
<clever> i think its on every single drv? lol
<LnL> ah no, it's referenced during stdenv bootstrapping somehwere
<LnL> would be nice if there was a way to list the tree without that
<clever> LnL: would also be nice if why-depends worked on drv files
<LnL> it doesn't?
<clever> LnL: it builds the things, then acts on the products
<clever> LnL: nix --version?
<LnL> well :) 2.3pre6631_e58a7144
<clever> 2.1.3 here
<clever> sounds like its already been fixed
<LnL> I'm running master + patches, but nothing why-depends related AFAIK
<clever> likely master vs unstable
<LnL> but isn't 2.2.2 the last release?
<clever> ok, strange, the git history says why-depends hasnt changed much since creation
<clever> but its still downloading 5gig just to find the dep-chain of 2 drv files
<LnL> probably a change in to installables, not why-depends itself
<clever> auto package = parseInstallable(*this, store, _package, false);
<clever> yeah, i see
<clever> and thats the most recent commit on the file
<clever> LnL: weird, 2.1.3 does show the drv path (with a lot of unicode corruption), after downloading the products
<clever> LnL: i think http://hackage.haskell.org/package/x509-system may be to blame
<LnL> sounds plausible, that probably depends on Security.framework
<clever> why-depends says it depends on /nix/store/nzsjvhsghhxg3ax5pnlf2jbxy8z148ch-SecurityTool-55115.drv
<clever> which also depends on /nix/store/vxbailfximdbqas4899j6h6k684d2qbj-libsecurity_apple_x509_cl-osx-10.7.5.drv
<LnL> the extra-sandbox-paths I linked earlier avoid this a -> b -> c problem
<LnL> there's no real advantage to opening up each framework separately, I'd like to go over nixpkgs with those and make those the default
<LnL> with that sandboxing can also be enabled by default on darwin
<clever> it feels like __impureHostDeps needs to be fixed, to not need extra-sandbox-paths
<LnL> not sure what you mean
<clever> i think __impureHostDeps is a backdoor to let things into the sandbox, on a per-drv basis
<clever> ah, but it has to propagate at the nix level
<LnL> yes paths in allowed-impure-host-deps can be opened up conditionally
<LnL> indeed and propagation works fine, but not for non-store paths
<clever> ah
<LnL> and things like xcode/clt can't influence those anyway
<clever> for deps in the nix store, nix is just grabbing the closure at build-time, and adding them to the sandbox
<clever> for things like /System/Library/Frameworks, you would need to map over all inputs to the drv, and then access an attr on each drv
<clever> and then propagate them at the nix level, without nix-support/propagated-*
<clever> but if your only propagating via buildInputs, it can miss things like buildPhase = "${foo}/bin/foo";
<LnL> that already happens, but as far as nix is concerned the framework is a build only dependency
<clever> the issue, is that you need to store that its a runtime dep, at the nix level, before doing the build
<clever> and then propagate it, within nix, at eval time
<clever> LnL: oh, and i need a way to stop darwin from going into suspend when idle, from the command line
<LnL> didn't you find something?
<clever> i found a few things, that didnt actually work, but havent tried caffeinate yet
<clever> let me see what it does...
<clever> 8 sudo systemsetup -getcomputersleep
<clever> *facepalm*
<clever> thats not set
<LnL> yeah that, there's a network module that uses the same command
<clever> 8 sudo systemsetup -setcomputersleep Never
<clever> THIS, is set! lol
<clever> LnL: oh, and i have trouble ssh'ing into users created by nix-darwin still, since nix-darwin cant add them to the special group