Project board: Nix team · GitHub
Video conference: Jitsi Meet
Previous notes: Nix - NixOS Discourse

Announcement: The team’s current focus is on polish in preparation for the upcomming Nixpkgs/NixOS release.

2024-04-22 Nix team meeting minutes #140

Agenda

• Discuss how to continue with the installer

• Sandbox bypass

  • Current fix libstore/local-derivation-goal: prohibit creating setuid/setgid binaries by Ma27 · Pull Request #10501 · NixOS/nix · GitHub, breaks the Hydra build.
  • Alternative fixes are available, but need work.
  • Plan to revert #10501, unless fix available by end-of-day Tuesday. (update: fixed and merged instead)

• Nixpkgs Release version

  • proposed 2.22
  • considering 2.21
  • Many changes to file structure impedes backports
  • Odd to already consider 2.22 bad

• Proposal: focus on bug fixes, bypass, and release.

  • delay current release?
    • pro: gives time to update
    • con: might not be better
    • 5 weeks is enough time
    • @ericson2314: -1
  • should be in releasable state
    • proof is in the pudding
    • testing improvements need to discover issues earlier
  • outcome
    • announce on discourse the focus on polish in preparation for the upcomming Nixpkgs/NixOS release
    • last release (2.21)

Breakout working sessions

1. bypass (theophane + tomberek) (`fchmodat2` seccomp filter breaks sandboxed builds with glibc 2.38 · Issue #10585 · NixOS/nix · GitHub)
2. robert
   a. nested submodules (Nix >=2.19.0 has a regression on fetchGit submodules recursive clone · Issue #10538 · NixOS/nix · GitHub)
3. symlink + evaluator regression (eelco + john)

Discussion

• @l-as: wants to re-do the building code
  • build/local-derivation-goal.{cc,hh}
  • time estimate: large changes against master are acceptable
  • speed up changes for after release “island of stability”
  • pros: improve understanding, long-term improvements
  • cons: bugs, visible behavior changes
  • RFC92 blocker related to goal propagation
  • ericson in favor: state machine and small funcs makes FFI approach viable
  • incremental
    • co-routine refactor
    • impacts on testing? can add unit testing
  • outcomes + goal
    • improve understanding
    • work toward WASM support
    • RFC 92 - dyn drvs + bazel-like fine-grained
    • performance
      • sync substitution
      • “fearless concurency”
      • other sandboxing strategies, like “capsicum style” vs “container style”
    • Build capability interface · Issue #10579 · NixOS/nix · GitHub
      • turns the scheduler into a (large) unit, testable without real “builder”
      • turns the “builder” implementations into units
      • idea: remove build-remote (somewhat implied in the issue, implementation detail, but significant one)
  • time? yes, can devote time, especially if progress is made
  • questions? coordinate in “Nix Hackers”
  • mentor + codeowner: Ericson
  • 1 more thing!
    • comment: C++23 modules to improve APIs
    • interested, but need to ensure support in upstream

Triage

`fchmodat2` seccomp filter breaks sandboxed builds with glibc 2.38 · Issue #10585 · NixOS/nix · GitHub