From fa4abe46e2cedfacc90c82177671a3000b229f28 Mon Sep 17 00:00:00 2001
From: Arthur Gautier <baloo@superbaloo.net>
Date: Sat, 16 Oct 2021 01:39:14 +0000
Subject: [PATCH] preloadNSS: document the preload mechanism

Signed-off-by: Arthur Gautier <baloo@superbaloo.net>
---
 src/libmain/shared.cc | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/libmain/shared.cc b/src/libmain/shared.cc
index 5eb7871f3..b6bfea8cb 100644
--- a/src/libmain/shared.cc
+++ b/src/libmain/shared.cc
@@ -127,6 +127,24 @@ static void preloadNSS() {
        load its lookup libraries in the parent before any child gets a chance to. */
     std::call_once(dns_resolve_flag, []() {
 #ifdef __GLIBC__
+        /* On linux, glibc will run every lookup through the nss layer.
+         * That means every lookup goes, by default, through nscd, which acts as a local
+         * cache.
+         * Because we run builds in a sandbox, we also remove access to nscd otherwise
+         * lookups would leak into the sandbox.
+         *
+         * But now we have a new problem, we need to make sure the nss_dns backend that
+         * does the dns lookups when nscd is not available is loaded or available.
+         *
+         * We can't make it available without leaking nix's environment, so instead we'll
+         * load the backend, and configure nss so it does not try to run dns lookups
+         * through nscd.
+         *
+         * This is technically only used for builtins:fetch* functions so we only care
+         * about dns.
+         *
+         * All other platforms are unaffected.
+         */
         if (dlopen (LIBNSS_DNS_SO, RTLD_NOW) == NULL) {
             printMsg(Verbosity::lvlWarn, fmt("Unable to load nss_dns backend"));
         }