Closed zowoq closed 4 months ago
Calling security sounds alarming. More seriously though, do you know why it's called? I don't see an explicit call to it, neither from the Nix code base, nor hercules-ci-agent. I suspected it might be called by sandbox-exec
, which would explain why I haven't seen this before, assuming most installations have been multi-user so far. I suppose then cachix-agent
would only fail if it had to fall back to building something.
Regardless, this fix looks alright to me, and I'd be happy to upstream it into the agent repo as well.
More seriously though, do you know why it's called? I don't see an explicit call to it, neither from the Nix code base, nor hercules-ci-agent.
I looked as well at first and also couldn't find it, AFAIK it is in one of the haskell libs. https://github.com/LnL7/nix-darwin/issues/924#issuecomment-2115301197
First noticed this problem after this haskell updates merge with the ghc 9.4 -> 9.6 bump. https://github.com/NixOS/nixpkgs/pull/279413
Also seems to be causing problems for other haskell packages. https://github.com/NixOS/nixpkgs/issues/297775
I looked as well at first and also couldn't find it, AFAIK it is in one of the haskell libs. #924 (comment)
At least for cachix, I think it's coming from here: https://github.com/kazu-yamamoto/crypton-certificate/blob/a91c3f4bd8ccbbb0568f41e185a0329855a05b90/x509-system/System/X509/MacOS.hs#L22
There's an open issue for this: https://github.com/kazu-yamamoto/crypton-certificate/issues/9
hercules ci agent has the same problem as was reported in https://github.com/LnL7/nix-darwin/issues/924.
I had originally fixed this downstream in nix-community by wrapping
/usr/bin/security
(https://github.com/nix-community/infra/commit/5da85a9b7276f15a64052dcc820ab210d742b914) but here I've reused the same fix that was used for cachix agent.cc @roberth