Hi everyone,
While evaluating nix package manager on my macbook work laptop, which is managed by my organization, I got notified by our security team that default-build seems to be spawning a ton of bash processes which in turn triggers our malware alarm. I’ve been mostly using nix-env to search and install packages.
Is it normal behavior?
I don’t know what default-build would be; I don’t see it in the nix or nixpkgs repos. default-builder.sh, perhaps?
I’m not sure there’s much you can do on the Nix side if the problem is that it spawns them at all. If the problem is the number concurrent, you might be able to tune max-jobs in /etc/nix/nix.conf to a number that makes them happy?
Yea essentially every derivation you build will spawn the default-builder.sh script, since that’s just how derivations work. Each one gets its own root process, which is almost always bash. Now, this only applies to derivations you build locally, since derivations fetched from binary caches are just downloaded and unpacked. But nix-env creates some trivial derivations every time you install a package, so that’s still a few per install command. Plus there are some package groups that we just don’t cache, usually because they’re trivial to build locally, so that can add anywhere from one to a ton of derivations you have to build locally, depending on what you’ve been installing (each one spawning a bash process, which may spawn other bash processes)
Apologies about misspelling of “default-builder”. Your assumption about default-builder.sh is correct though. Thank you for looking into it and for the tip!
Thanks for making sense out of this!