diff --git a/hosts/common/programs/geoclue2.nix b/hosts/common/programs/geoclue2.nix
index a55e9b317..fc2d7d975 100644
--- a/hosts/common/programs/geoclue2.nix
+++ b/hosts/common/programs/geoclue2.nix
@@ -33,12 +33,25 @@ in
     suggestedPrograms = [
       "avahi"  #< to discover LAN gps devices
       "geoclue-demo-agent"
-      "gps-share"
+      # "gps-share"
       "iio-sensor-proxy"
       "ols"  #< WiFi SSID -> lat/long lookups
       "satellite"  #< graphical view into GPS fix data
       "where-am-i"  #< handy debugging/testing tool
     ];
+
+    # XXX(2024/07/05): no way to plumb my sandboxed geoclue into `services.geoclue2`.
+    # then, the package doesn't get used directly anywhere. but other programs reference `packageUnwrapped`,
+    # so keep that part still.
+    sandbox.enable = false;
+    package = lib.mkForce null;
+
+    # experimental sandboxing (2024/07/05)
+    # sandbox.method = "bwrap";
+    # sandbox.whitelistDbus = [
+    #   "system"
+    # ];
+    # sandbox.net = "all";
   };
 
   # sane.programs.geoclue2.enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
diff --git a/hosts/modules/hal/pine64.nix b/hosts/modules/hal/pine64.nix
index 8b8f98a42..b93c1243d 100644
--- a/hosts/modules/hal/pine64.nix
+++ b/hosts/modules/hal/pine64.nix
@@ -283,6 +283,9 @@ in
     #   dd if=${pkgs.tow-boot-pinephone}/Tow-Boot.noenv.bin of=$out bs=1024 seek=8 conv=notrunc
     # '';
 
+    sane.programs.geoclue2.suggestedPrograms = [
+      "gps-share"
+    ];
     sane.programs.nwg-panel.config.torch = "white:flash";
     sane.programs.gps-share.config = {
       device = "/dev/ttyUSB1";