From 6ef8838dcf19a14c6afcd436e610105309bfe715 Mon Sep 17 00:00:00 2001 From: ibbem Date: Fri, 9 Feb 2024 22:45:33 +0100 Subject: [PATCH] CONTRIBUTING.md: Sandboxing is enabled by default on Linux The fact that sandboxing is already enabled by default is mentioned in the pull request template. Hence, it might be confusing to ask to enable sandboxing in CONTRIBUTING.md. Also follow the `one sentence per line` guideline. Co-authored-by: Silvan Mosberger --- CONTRIBUTING.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 55232e9c3a54..80cbba76a73a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -129,19 +129,17 @@ When a PR is created, it will be pre-populated with some checkboxes detailed bel #### Tested using sandboxing -When sandbox builds are enabled, Nix will setup an isolated environment for each build process. It is used to remove further hidden dependencies set by the build environment to improve reproducibility. This includes access to the network during the build outside of `fetch*` functions and files outside the Nix store. Depending on the operating system access to other resources are blocked as well (ex. inter process communication is isolated on Linux); see [sandbox](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-sandbox) in the Nix manual for details. +When sandbox builds are enabled, Nix will set up an isolated environment for each build process. +It is used to remove further hidden dependencies set by the build environment to improve reproducibility. +This includes access to the network during the build outside of `fetch*` functions and files outside the Nix store. +Depending on the operating system, access to other resources is blocked as well (e.g., inter-process communication is isolated on Linux); see [sandbox](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-sandbox) in the Nix manual for details. -Sandboxing is not enabled by default in Nix due to a small performance hit on each build. In pull requests for [nixpkgs](https://github.com/NixOS/nixpkgs/) people are asked to test builds with sandboxing enabled (see `Tested using sandboxing` in the pull request template) because in [Hydra](https://nixos.org/hydra/) sandboxing is also used. +In pull requests for [nixpkgs](https://github.com/NixOS/nixpkgs/) people are asked to test builds with sandboxing enabled (see `Tested using sandboxing` in the pull request template) because in [Hydra](https://nixos.org/hydra/) sandboxing is also used. -Depending if you use NixOS or other platforms you can use one of the following methods to enable sandboxing **before** building the package: +If you are on Linux, sandboxing is enabled by default. +On other platforms, sandboxing is disabled by default due to a small performance hit on each build. -- **Globally enable sandboxing on NixOS**: add the following to `configuration.nix` - - ```nix - nix.settings.sandbox = true; - ``` - -- **Globally enable sandboxing on non-NixOS platforms**: add the following to: `/etc/nix/nix.conf` +Please enable sandboxing **before** building the package by adding the following to: `/etc/nix/nix.conf`: ```ini sandbox = true