Minimal nix update #5912
Minimal nix update #5912
Conversation
On macOS, it requires access to `security`, which is outside the sandbox, so don’t sandbox it when running on Darwin. This is made possible by setting `sandbox` to `relaxed` in the flake, which allows using `__noChroot` to mark derivations as unsandboxed. This makes things less strict on Linux (where the sandbox is on by default), but more strict on Darwin (where the sandbox is off by default).
This allows us to install a different version than the one included in Nixpkgs. We pin it to the version included in our Stack from Nix. This also re-generates all the Cabal files with the new hpack.
This workaround required another local workaround. If you had a line like `LD_LIBRARY_PATH=` in your .envrc, it can be removed now.
Somewhat described at https://github.com/nix-systems/nix-systems This is useful for Haskell projects, because commands like ```bash nix flake show --allow-import-from-derivation ``` can often fail, complaining that it can’t find some other architecture to build on. With nix-systems, you can append `--override-input systems github:nix-systems/x86_64-linux` to the command to ensure that x86_64-linux is the only platform in play.
Calling it `nixpkgs` makes it clear that it’s the Nixpkgs used for most things, so if anything follows or overrides this input, they’ll get reasonable behavior.
sellout
force-pushed
the
minimal-nix-update
branch
2 times, most recently
from
33cf154 to
50a09f0
Compare
The previous version of cachix/install-nix-action installed too old of a Nix version to allow sandboxing on macOS. This also updates the aarch64-darwin runner to `macos-15`.
sellout
force-pushed
the
minimal-nix-update
branch
from
50a09f0 to
a013b02
Compare
|
Here’s the Nix build: https://github.com/sellout/unison/actions/runs/18180117272/job/51754243925 |
| "unison-cli:test:cli-tests" = haskell-nix-flake.checks."unison-cli:test:cli-tests".overrideAttrs (old: { | ||
| ## On macOS, this derivation requires access to `security`, which is outside the sandbox, so we tell Nix that | ||
| ## it doesn’t work in the sandbox. | ||
| __noChroot = pkgs.stdenv.isDarwin; |
There was a problem hiding this comment.
Does adding a dependency on darwin.apple_sdk.frameworks.Security instead work? I don't have a good way to test that.
There was a problem hiding this comment.
It doesn’t, unfortunately. I just updated the comment to at least link to some Nixpkgs discussion. This is the same reason you have https://github.com/ceedubs/unison-nix/blob/trunk/nix/darwin-security-hack.nix (that’s also unsandboxed, but implicitly since you don’t have sandbox = "relaxed").
It might be worth bringing darwin-security-hack over here as a smaller unsandboxed derivation, where we can add more commentary, and then this can be a sandboxed one that depends on that one.
There was a problem hiding this comment.
Actually, I don’t think darwin-security-hack would work here. Nixpkgs has already patched the offending Haskell packages to look at the absolute path for security, so copying it to the store doesn’t do anything.
| extra-substituters = ["https://unison.cachix.org"]; | ||
| extra-trusted-public-keys = ["unison.cachix.org-1:i1DUFkisRPVOyLp/vblDsbsObmyCviq/zs6eRuzth3k="]; | ||
| ## This allows derivations with `__noChroot` set to run outside the sandbox. | ||
| sandbox = "relaxed"; |
There was a problem hiding this comment.
This is a place where we aren't able to do a check that would limit this to darwin, isn't it?
There was a problem hiding this comment.
Yeah, NixOS/nix#4945. This spot is particularly annoying, because the defaults are different on Linux and Darwin, but there’s no way to tighten Darwin from false to "relaxed" without simultaneously weakening Linux from true to "relaxed". But … I prefer "relaxed" as my default anyway, since it lets me control it at the derivation level, and individual environments can still be sandboxed, and thus disallow unsandboxed derivations.
|
I don't know enough to weigh in, so just waiting to see what you guys decide. |
|
Sounds good to me. Merging! |
3 participants
This extracts the simpler Nix changes from #5796. That PR does a bunch of Nix changes, some of which introduce an issue building with Stack. This PR includes the parts that are independent of that change, both to make that PR smaller and to make the benefits of these changes available.
nix flake checknow works, sinceunison-cli:test:cli-testsis no longer sandboxedhpackversion is now consistentnix developno longer requiresLD_LIBRARY_PATHto be defined