#nix-darwin on 2019-07-04

00:26 ris has quit [Ping timeout: 246 seconds]

00:58 kyren has quit [Ping timeout: 258 seconds]

06:58 hamishmack has quit [Remote host closed the connection]

07:23 veske has joined #nix-darwin

12:32 hmpffff has joined #nix-darwin

12:39 <hmpffff> Moin Moin. Is somebody here?

13:32 <LnL> sup

13:55 veske has quit [Quit: This computer has gone to sleep]

15:22 hmpffff has quit [Quit: Bye…]

15:23 hmpffff has joined #nix-darwin

17:15 <clever> LnL: you familiar with the ranlib cryptlib.o problem, and load command 1?

17:37 <LnL> not sure, what's the context?

18:56 <clever> LnL: when building a haskell project on darwin, and i think it links to openssl, it fails on some machines and works on others

18:56 <clever> LnL: when using the exact same drv file

18:56 <clever> object: dist/build/libHScardano-sl-crypto-3.0.2-2v9S0RiwSU6HEHEe02tDyo-ghc8.4.4.a(cryptlib.o) malformed object (unknown load command 1)

18:57 <clever> cryptlib.o is part of openssl, but strangely, that string does not appear anywhere in /nix/store/

18:57 <clever> load command 1 is for 32bit files, so the error makes sense, a 32bit .o was given to a 64bit linker

18:57 <clever> but, this exact same .drv file works on another mac

19:01 <LnL> hmm

19:03 <LnL> anything like xcode or CLT installed?

19:13 <clever> LnL: on the broken machine, maybe

19:14 <LnL> try with sandboxing

19:14 <LnL> --option sandbox true --option extra-sandbox-paths '/System/Library/Frameworks /System/Library/PrivateFrameworks /usr/lib /private/tmp /private/var/tmp /usr/bin/env'

19:15 * LnL should finish his sandbox testing project

19:18 <clever> LnL: `--option sandbox true` was enough to fix it

19:19 <LnL> ah, no implicit framework dependencies then :)

19:20 <LnL> I think >90% of builds work without the extra paths

19:20 <clever> builder for '/nix/store/llr95r91qllsfapzgyfqdj7q9xs8fv7i-cardano-sl-crypto-test-3.0.2.drv' failed with exit code 1

19:21 <clever> the tests also needed sandbox=true

19:21 <clever> nix.conf to the rescue!

19:25 <LnL> I'm not sure if anybody else has been using it, but I've only ran into a handful of issues since my initial fixes

19:26 <clever> ld: file not found: /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

19:26 <clever> a few derivations later, it fails

19:26 <clever> should be easy enough to fix, just one path

19:29 <LnL> yeah, the current model doesn't really work for frameworks

19:30 <LnL> the sandbox is opened up at build time, but because it's an impure path nix doesn't know it's a runtime dependency

19:31 <LnL> with a -> b -> framework, b builds fine but a can't use b

19:39 hmpffff has quit [Quit: Bye…]

19:53 <clever> LnL: i'm not sure why this even needs corefoundation

19:55 <LnL> there's probably a framework in the closure somewhere

19:56 <LnL> otherwise it would link against our build instead

19:58 <clever> -sh-3.2# grep -r --color CoreFound $(nix-store -qR /nix/store/0pp2l06w3cln7295syghg7jc57gzqh6x-daedalus.drv)

19:58 <clever> ,("__impureHostDeps","/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation /bin/sh /usr/lib/libSystem.B.dylib /usr/lib/system/libunc.dylib /dev/zero /dev/random /dev/urandom /bin/sh"),

19:58 <clever> i think its on every single drv? lol

20:06 <LnL> ah no, it's referenced during stdenv bootstrapping somehwere

20:07 <LnL> would be nice if there was a way to list the tree without that

20:08 <clever> LnL: would also be nice if why-depends worked on drv files

20:09 <LnL> it doesn't?

20:09 <clever> LnL: it builds the things, then acts on the products

20:11 <LnL> https://gist.github.com/LnL7/1f1c1ea24baf64173501192da12fd4a4

20:11 <clever> LnL: nix --version?

20:11 <LnL> well :) 2.3pre6631_e58a7144

20:11 <clever> 2.1.3 here

20:12 <clever> sounds like its already been fixed

20:12 <LnL> I'm running master + patches, but nothing why-depends related AFAIK

20:13 <clever> likely master vs unstable

20:13 <LnL> but isn't 2.2.2 the last release?

20:15 <clever> ok, strange, the git history says why-depends hasnt changed much since creation

20:16 <clever> but its still downloading 5gig just to find the dep-chain of 2 drv files

20:17 <LnL> probably a change in to installables, not why-depends itself

20:20 <clever> auto package = parseInstallable(*this, store, _package, false);

20:20 <clever> yeah, i see

20:20 <clever> https://github.com/NixOS/nix/commit/f72c907ad833fa26800ad1694e63f3cec952b444

20:20 <clever> and thats the most recent commit on the file

20:24 <clever> LnL: weird, 2.1.3 does show the drv path (with a lot of unicode corruption), after downloading the products

20:27 <clever> LnL: i think http://hackage.haskell.org/package/x509-system may be to blame

20:28 <LnL> sounds plausible, that probably depends on Security.framework

20:28 <clever> why-depends says it depends on /nix/store/nzsjvhsghhxg3ax5pnlf2jbxy8z148ch-SecurityTool-55115.drv

20:29 <clever> which also depends on /nix/store/vxbailfximdbqas4899j6h6k684d2qbj-libsecurity_apple_x509_cl-osx-10.7.5.drv

20:32 <LnL> the extra-sandbox-paths I linked earlier avoid this a -> b -> c problem

20:35 <LnL> there's no real advantage to opening up each framework separately, I'd like to go over nixpkgs with those and make those the default

20:35 <LnL> with that sandboxing can also be enabled by default on darwin

20:36 <clever> it feels like __impureHostDeps needs to be fixed, to not need extra-sandbox-paths

20:37 <LnL> not sure what you mean

20:38 <clever> i think __impureHostDeps is a backdoor to let things into the sandbox, on a per-drv basis

20:38 <clever> ah, but it has to propagate at the nix level

20:38 <LnL> yes paths in allowed-impure-host-deps can be opened up conditionally

20:39 <LnL> indeed and propagation works fine, but not for non-store paths

20:39 <clever> ah

20:40 <LnL> and things like xcode/clt can't influence those anyway

20:45 <clever> for deps in the nix store, nix is just grabbing the closure at build-time, and adding them to the sandbox

20:46 <clever> for things like /System/Library/Frameworks, you would need to map over all inputs to the drv, and then access an attr on each drv

20:46 <clever> and then propagate them at the nix level, without nix-support/propagated-*

20:47 <clever> but if your only propagating via buildInputs, it can miss things like buildPhase = "${foo}/bin/foo";

20:48 <LnL> that already happens, but as far as nix is concerned the framework is a build only dependency

20:48 <clever> the issue, is that you need to store that its a runtime dep, at the nix level, before doing the build

20:48 <clever> and then propagate it, within nix, at eval time

21:10 <clever> LnL: oh, and i need a way to stop darwin from going into suspend when idle, from the command line

21:11 <LnL> didn't you find something?

21:11 <clever> i found a few things, that didnt actually work, but havent tried caffeinate yet

21:11 <clever> let me see what it does...

21:12 <clever> 8 sudo systemsetup -getcomputersleep

21:12 <clever> *facepalm*

21:12 <clever> thats not set

21:12 <LnL> yeah that, there's a network module that uses the same command

21:12 <clever> 8 sudo systemsetup -setcomputersleep Never

21:12 <clever> THIS, is set! lol

21:14 <clever> LnL: oh, and i have trouble ssh'ing into users created by nix-darwin still, since nix-darwin cant add them to the special group