lowdown: add flag to disable the Darwin sandbox #346945
Merged
+20
−9
Commits on Oct 7, 2024
-
lowdown: add flag to disable the Darwin sandbox
This is a program written in a memory‐unsafe language that processes potentially‐untrusted user input. We shouldn’t disable upstream’s sandboxing mechanisms for all downstream consumers without good reason. Although the sandbox API is officially marked as deprecated, it is used as the basis for the supported App Sandbox and it is extremely unlikely to ever be removed as it is used extensively throughout the OS for service hardening and by third parties like the Chrome sandbox. Nix itself uses it to sandbox builds, and its lack of support for nesting is why this caused problems in the first place. Instead, introduce a `lowdown-unsandboxed` package that can be used in the `nativeBuildInputs` of Nix builds, while keeping the sandboxed version of the program for general use. The name might not be ideal, as it remains identical to `lowdown` on non‐Darwin platforms, but I couldn’t think of a better one. See: NixOS#125004 Closes: NixOS#346933
-
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.