ris has quit [Ping timeout: 246 seconds]
kyren has quit [Ping timeout: 258 seconds]
hamishmack has quit [Remote host closed the connection]
veske has joined #nix-darwin
hmpffff has joined #nix-darwin
<
hmpffff>
Moin Moin. Is somebody here?
veske has quit [Quit: This computer has gone to sleep]
hmpffff has quit [Quit: Bye…]
hmpffff has joined #nix-darwin
<
clever>
LnL: you familiar with the ranlib cryptlib.o problem, and load command 1?
<
LnL>
not sure, what's the context?
<
clever>
LnL: when building a haskell project on darwin, and i think it links to openssl, it fails on some machines and works on others
<
clever>
LnL: when using the exact same drv file
<
clever>
object: dist/build/libHScardano-sl-crypto-3.0.2-2v9S0RiwSU6HEHEe02tDyo-ghc8.4.4.a(cryptlib.o) malformed object (unknown load command 1)
<
clever>
cryptlib.o is part of openssl, but strangely, that string does not appear anywhere in /nix/store/
<
clever>
load command 1 is for 32bit files, so the error makes sense, a 32bit .o was given to a 64bit linker
<
clever>
but, this exact same .drv file works on another mac
<
LnL>
anything like xcode or CLT installed?
<
clever>
LnL: on the broken machine, maybe
<
LnL>
try with sandboxing
<
LnL>
--option sandbox true --option extra-sandbox-paths '/System/Library/Frameworks /System/Library/PrivateFrameworks /usr/lib /private/tmp /private/var/tmp /usr/bin/env'
* LnL
should finish his sandbox testing project
<
clever>
LnL: `--option sandbox true` was enough to fix it
<
LnL>
ah, no implicit framework dependencies then :)
<
LnL>
I think >90% of builds work without the extra paths
<
clever>
builder for '/nix/store/llr95r91qllsfapzgyfqdj7q9xs8fv7i-cardano-sl-crypto-test-3.0.2.drv' failed with exit code 1
<
clever>
the tests also needed sandbox=true
<
clever>
nix.conf to the rescue!
<
LnL>
I'm not sure if anybody else has been using it, but I've only ran into a handful of issues since my initial fixes
<
clever>
ld: file not found: /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
<
clever>
a few derivations later, it fails
<
clever>
should be easy enough to fix, just one path
<
LnL>
yeah, the current model doesn't really work for frameworks
<
LnL>
the sandbox is opened up at build time, but because it's an impure path nix doesn't know it's a runtime dependency
<
LnL>
with a -> b -> framework, b builds fine but a can't use b
hmpffff has quit [Quit: Bye…]
<
clever>
LnL: i'm not sure why this even needs corefoundation
<
LnL>
there's probably a framework in the closure somewhere
<
LnL>
otherwise it would link against our build instead
<
clever>
-sh-3.2# grep -r --color CoreFound $(nix-store -qR /nix/store/0pp2l06w3cln7295syghg7jc57gzqh6x-daedalus.drv)
<
clever>
,("__impureHostDeps","/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation /bin/sh /usr/lib/libSystem.B.dylib /usr/lib/system/libunc.dylib /dev/zero /dev/random /dev/urandom /bin/sh"),
<
clever>
i think its on every single drv? lol
<
LnL>
ah no, it's referenced during stdenv bootstrapping somehwere
<
LnL>
would be nice if there was a way to list the tree without that
<
clever>
LnL: would also be nice if why-depends worked on drv files
<
clever>
LnL: it builds the things, then acts on the products
<
clever>
LnL: nix --version?
<
LnL>
well :) 2.3pre6631_e58a7144
<
clever>
2.1.3 here
<
clever>
sounds like its already been fixed
<
LnL>
I'm running master + patches, but nothing why-depends related AFAIK
<
clever>
likely master vs unstable
<
LnL>
but isn't 2.2.2 the last release?
<
clever>
ok, strange, the git history says why-depends hasnt changed much since creation
<
clever>
but its still downloading 5gig just to find the dep-chain of 2 drv files
<
LnL>
probably a change in to installables, not why-depends itself
<
clever>
auto package = parseInstallable(*this, store, _package, false);
<
clever>
yeah, i see
<
clever>
and thats the most recent commit on the file
<
clever>
LnL: weird, 2.1.3 does show the drv path (with a lot of unicode corruption), after downloading the products
<
LnL>
sounds plausible, that probably depends on Security.framework
<
clever>
why-depends says it depends on /nix/store/nzsjvhsghhxg3ax5pnlf2jbxy8z148ch-SecurityTool-55115.drv
<
clever>
which also depends on /nix/store/vxbailfximdbqas4899j6h6k684d2qbj-libsecurity_apple_x509_cl-osx-10.7.5.drv
<
LnL>
the extra-sandbox-paths I linked earlier avoid this a -> b -> c problem
<
LnL>
there's no real advantage to opening up each framework separately, I'd like to go over nixpkgs with those and make those the default
<
LnL>
with that sandboxing can also be enabled by default on darwin
<
clever>
it feels like __impureHostDeps needs to be fixed, to not need extra-sandbox-paths
<
LnL>
not sure what you mean
<
clever>
i think __impureHostDeps is a backdoor to let things into the sandbox, on a per-drv basis
<
clever>
ah, but it has to propagate at the nix level
<
LnL>
yes paths in allowed-impure-host-deps can be opened up conditionally
<
LnL>
indeed and propagation works fine, but not for non-store paths
<
LnL>
and things like xcode/clt can't influence those anyway
<
clever>
for deps in the nix store, nix is just grabbing the closure at build-time, and adding them to the sandbox
<
clever>
for things like /System/Library/Frameworks, you would need to map over all inputs to the drv, and then access an attr on each drv
<
clever>
and then propagate them at the nix level, without nix-support/propagated-*
<
clever>
but if your only propagating via buildInputs, it can miss things like buildPhase = "${foo}/bin/foo";
<
LnL>
that already happens, but as far as nix is concerned the framework is a build only dependency
<
clever>
the issue, is that you need to store that its a runtime dep, at the nix level, before doing the build
<
clever>
and then propagate it, within nix, at eval time
<
clever>
LnL: oh, and i need a way to stop darwin from going into suspend when idle, from the command line
<
LnL>
didn't you find something?
<
clever>
i found a few things, that didnt actually work, but havent tried caffeinate yet
<
clever>
let me see what it does...
<
clever>
8 sudo systemsetup -getcomputersleep
<
clever>
*facepalm*
<
clever>
thats not set
<
LnL>
yeah that, there's a network module that uses the same command
<
clever>
8 sudo systemsetup -setcomputersleep Never
<
clever>
THIS, is set! lol
<
clever>
LnL: oh, and i have trouble ssh'ing into users created by nix-darwin still, since nix-darwin cant add them to the special group