feat: allow optionally disabling Swift sandbox#2587
feat: allow optionally disabling Swift sandbox#2587szokeasaurusrex merged 3 commits intogetsentry:masterfrom
Conversation
If `cargo` is invoked inside a sandbox on Darwin, the build will fail when it invokes `swift`. This is because `swift` builds within its own sandbox by default, but nested sandboxes are not allowed on Darwin. This is the case, for example, when building `sentry-cli` inside Homebrew. For builds that already happen inside a sandbox, allow setting an environment variable `SWIFT_DISABLE_SANDBOX` which then results in `swift` being invoked with `--disable-sandbox` to enable the build to succeed.
|
@carlocab, how are you building Sentry CLI when encountering this error? We only should be calling If you have any logs, that would be helpful to share, thanks! |
|
We just use In practice, that expands to something like in the source directory. We're not enabling/disabling any features, so it looks like |
|
Based on this Lines 113 to 115 in 270c6e3 It looks to me that |
Ah indeed, nice catch! I'll do a quick update to remove this, as at least for now, we should only compile |
|
Hey @carlocab, can you try building with Sentry CLI 2.47.1? This release removes the We still will need to fix this problem once we add the functionality currently hidden under Also, could you perhaps provide some references to explain why this change is needed/why we need to resolve it in Sentry CLI? I am not very familiar with Homebrew's build process. I am also a bit confused about why Homebrew even needs to build Sentry CLI. The Sentry CLI we release in the |
Which part would you like me to explain further? The important thing to consider is that:
Homebrew's build process was just an example of a build that happens inside a sandbox. This can affect any other user that tries to build
Probably for the same reasons why nearly every package manger here (except perhaps Scoop and winget) builds Sentry CLI from source instead of fetching a prebuilt binary: https://repology.org/project/sentry-cli/versions In homebrew-core, we build all packages from source. This allows us to make better guarantees about the provenance of binaries, and gives us more control over the packaging process (which in turn helps us better provide binaries that work well on our user's systems). |
- simplify the diff by removing unnecessary refactors - use `env::var` to get the environemtnt variable - check that the variable equals `"1"` rather than not equalling `"0"`. This matches with how we parse flag env variables elsewhere in CLI, and should work for how Homebrew builds Sentry CLI
szokeasaurusrex
left a comment
szokeasaurusrex
left a comment
There was a problem hiding this comment.
Okay, thanks for explaining @carlocab, seems reasonable
noahsmartin
left a comment
noahsmartin
left a comment
There was a problem hiding this comment.
Looks good to me thanks @carlocab !
|
Thanks both! |
3 participants
If
cargois invoked inside a sandbox on Darwin, the build will fail when it invokesswift. This is becauseswiftbuilds within its own sandbox by default, but nested sandboxes are not allowed on Darwin.This is the case, for example, when building
sentry-cliinside Homebrew.For builds that already happen inside a sandbox, allow setting an environment variable
SWIFT_DISABLE_SANDBOXwhich then results inswiftbeing invoked with--disable-sandboxto enable the build to succeed.