CS SYD - Your testing portfolio

1 Like

I’m a little bit confused to hear these two things in the same blog post:

  1. “Principle of simplicity”
  2. nix-build

My hope is, that we can maybe get a seccomp based Haskell library for controlling capabilities, similar to e.g. sydbox. But I haven’t found anything definite, except some low-level bindings: https://hackage.haskell.org/package/hsseccomp


While I agree nix-build is not “simple” for me, I believe the “simplicity” we’re talking about is:

Tests should be written with the least number of required capabilities.

nix-build is just the author’s chosen tool for implementing the framework.

I will use nix as an example system that you can use to minimise the provided capabilities You can use any such system

As I read the post, I hear: Your tests should be written with the least number of required capabilities.

I do not hear: you should use nix-build to make your tests simple.

1 Like

I read the post, that’s why I provided an alternative.

It can already be totally used to test your binaries. E.g. if you wanted to test that your binary doesn’t do network calls, you do:

    --syd core/sandbox/read:deny \
    --syd core/sandbox/write:deny \
    --syd 'core/sandbox/network:deny' \
    --syd 'allowlist/read+/lib64/***' \
    --syd 'allowlist/write+/home/hasufell/.ghcup/***' \
    --syd 'allowlist/write+/tmp/***' \
    --syd 'core/violation/decision:killall' \
    -- ghcup --offline list

However, it would be nicer to have access to this functionality via a library, so you can:

  1. restrict your binary from doing unexpected things (e.g. you don’t trust the RTS or libraries)
  2. use this directly in your test suite

I wasn’t speaking to that as much as calling out the difference between a framework for implementation, and the focus of the “simplicity principal”.

I’m all for the pledge-style definition of capabilities, that’s great and I am not disagreeing with you.


Unrelated to the actual advice, I find it SO funny that this executable is called syd (because my name is Syd), and it’s about being extra annoying by reducing capabilities :stuck_out_tongue:

1 Like

I was a bit confused whether there was a connection!

1 Like