Arch Linux User Repository

Ok, so I've cleaned up my helper script and uploaded it to AUR. It's now listed as a dependency for this package and does the following:

• handles setting up of build users (previously in the .install file)
• downloads binaries from nixpkgs to use in the build sandbox, lists them in nix.conf
• handles launching/enabling of nix-daemon

This should all be done automatically when this package is installed/upgraded. Hopefully this resolves all the issues people are seeing with nix-channel --update. If not, let me know.

Linking this discussion from #nixos: https://logs.nix.samueldr.com/nixos/2019-02-06#1938291

In summary, compiling nix from "outside" of nix hardcodes some paths like /usr/bin/bash, /usr/bin/mkdir, ... in the compiled binary. So in theory it could fail anywhere (however I only ever had the problem with nix-channel), and not much can be done against it apart from compiling all those tools statically and adding them to the sandbox path.

It’s quite sad actually...

@asppsa: Ok, sorry I missed that part of the discussion.

nix-channel --update doesn’t work either for me (I don’t use nix-channels), but I think it’s a global nix problem, not a packaging one: nix-channel is getting abandoned little by little and replaced with other mechanisms (I know, it’s still too present in configurations, I’m not the one making the changes :p ).

A workaround to make nix-channel work is to set sandbox = false in /etc/nix/nix.conf (and restart nix-daemon.service) while using this command, although I would recommend using that setting only for that command (and set it to true, the default since nix 2.1, for the rest of the time)

The proposed change with dash-static is for the rest of the nix commands (nix-build in particular). It is not used if you have sandbox = false. Any static sh-like could do the job but Archlinux doesn’t package any, so I had to package it myself

@immae, ok I've added editline. I'm still finding however that dash-static doesn't fix the issues with nix-channel --update.

@janat08 could you elaborate on what the issue you are seeing is? Is it the nix-channel error, or something else?

The install is unusable, and prevents a proper install with sh script. beautiful.

(Note: I’m very sorry too about the editline versus readline dependency, since readline is better built and better features than editline. But nix needs to be fixed to be usable with readline)

@asppsa: Only a /bin/sh is ever absolutely required in the sandbox, everything in nix is done for that. In my opinion, anything else should not be here and be compiled directly via nix derivations (I’m building full featured nixos-systems with only that, so I’m confident about this opinion). In any case, I think it’s not your job as a packager to provide with more than a /bin/sh by default (note that the compile-time option is overridable in /etc/nix/nix.conf, so it can be overriden if someones wants to)

The problem with readline is only apparent when you use "nix repl" (the interactive nix): the "tab" (completion) doesn’t work at all and provokes crashes, which makes the whole repl useless

@immae, is editline better than readline somehow? I hesitate to add this as a dependency, as it means an additional package for people to compile when readline is already available.

Concerning dash, I didn't quite grasp the significance of that before, but I'll look into it now. Do you have any thoughts on the other binaries that are apparently required in the sandbox (tar, xz, coreutils)?

@asppsa: I proposed a solution below to (fix readline and) use static dash for sandboxing (because busybox is not a good solution, for the reasons your gave, and it needs to be static because it will end in a sandboxed path), you may want to have a look:

https://aur.archlinux.org/packages/nix/#comment-682267