Merge pull request #148257 from zseri/opt-disable-avahi-geoclue

2024-11-16 14:54:29 +01:00 · 2022-02-25 13:00:05 +01:00 · 2022-02-25 13:00:05 +01:00 · 035c360136
commit 035c360136
parent 296904d828 a7dade7b31
11 changed files with 144 additions and 51 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@ -939,6 +939,16 @@
          <literal>true</literal>.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          The <literal>element-desktop</literal> package now has an
+          <literal>useKeytar</literal> option (defaults to
+          <literal>true</literal>), which allows disabling
+          <literal>keytar</literal> and in turn
+          <literal>libsecret</literal> usage (which binds to native
+          credential managers / keychain libraries).
+        </para>
+      </listitem>
      <listitem>
        <para>
          The option <literal>services.thelounge.plugins</literal> has
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@ -313,6 +313,10 @@ In addition to numerous new and upgraded packages, this release has the followin
  using `fetchgit` or `fetchhg` if the argument `fetchSubmodules`
  is set to `true`.

+- The `element-desktop` package now has an `useKeytar` option (defaults to `true`),
+  which allows disabling `keytar` and in turn `libsecret` usage
+  (which binds to native credential managers / keychain libraries).
+
 - The option `services.thelounge.plugins` has been added to allow installing plugins for The Lounge. Plugins can be found in `pkgs.theLoungePlugins.plugins` and `pkgs.theLoungePlugins.themes`.

 - The `firmwareLinuxNonfree` package has been renamed to `linux-firmware`.
--- a/pkgs/applications/networking/instant-messengers/element/element-desktop.nix
+++ b/pkgs/applications/networking/instant-messengers/element/element-desktop.nix
@ -13,12 +13,15 @@
 , AppKit
 , CoreServices
 , desktopToDarwinBundle
+, useKeytar ? true
 }:

 let
  pinData = lib.importJSON ./pin.json;
  executableName = "element-desktop";
  electron_exec = if stdenv.isDarwin then "${electron}/Applications/Electron.app/Contents/MacOS/Electron" else "${electron}/bin/electron";
+  keytar = callPackage ./keytar { inherit Security AppKit; };
+  seshat = callPackage ./seshat { inherit CoreServices; };
 in
 mkYarnPackage rec {
  pname = "element-desktop";
@ -39,8 +42,7 @@ mkYarnPackage rec {

  nativeBuildInputs = [ makeWrapper ] ++ lib.optionals stdenv.isDarwin [ desktopToDarwinBundle ];

-  seshat = callPackage ./seshat { inherit CoreServices; };
-  keytar = callPackage ./keytar { inherit Security AppKit; };
+  inherit seshat;

  buildPhase = ''
    runHook preBuild
@ -51,12 +53,14 @@ mkYarnPackage rec {
    node ./scripts/copy-res.js
    popd
    rm -rf node_modules/matrix-seshat node_modules/keytar
-    ln -s $keytar node_modules/keytar
+    ${lib.optionalString useKeytar "ln -s ${keytar} node_modules/keytar"}
    ln -s $seshat node_modules/matrix-seshat
    runHook postBuild
  '';

  installPhase = ''
+    runHook preInstall
+
    # resources
    mkdir -p "$out/share/element"
    ln -s '${element-web}' "$out/share/element/webapp"
@ -83,6 +87,8 @@ mkYarnPackage rec {
      --set LD_PRELOAD ${sqlcipher}/lib/libsqlcipher.so \
      --add-flags "$out/share/element/electron" \
      --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform --ozone-platform=wayland}}"
+
+    runHook postInstall
  '';

  # Do not attempt generating a tarball for element-web again.
@ -107,7 +113,20 @@ mkYarnPackage rec {
    '';
  };

-  passthru.updateScript = ./update.sh;
+  passthru = {
+    updateScript = ./update.sh;
+
+    # TL;DR: keytar is optional while seshat isn't.
+    #
+    # This prevents building keytar when `useKeytar` is set to `false`, because
+    # if libsecret is unavailable (e.g. set to `null` or fails to build), then
+    # this package wouldn't even considered for building because
+    # "one of the dependencies failed to build",
+    # although the dependency wouldn't even be used.
+    #
+    # It needs to be `passthru` anyways because other packages do depend on it.
+    inherit keytar;
+  };

  meta = with lib; {
    description = "A feature-rich client for Matrix.org";
--- a/pkgs/applications/networking/instant-messengers/element/keytar/default.nix
+++ b/pkgs/applications/networking/instant-messengers/element/keytar/default.nix
@ -28,6 +28,7 @@ in stdenv.mkDerivation rec {
  };

  buildPhase = ''
+    runHook preBuild
    cp ${./yarn.lock} ./yarn.lock
    chmod u+w . ./yarn.lock
    export HOME=$PWD/tmp
@ -37,16 +38,19 @@ in stdenv.mkDerivation rec {
    yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
    patchShebangs node_modules/
    node_modules/.bin/node-gyp rebuild
+    runHook postBuild
  '';

  doCheck = false;

  installPhase = ''
+    runHook preInstall
    shopt -s extglob
    rm -rf node_modules
    rm -rf $HOME
    mkdir -p $out
    cp -r ./!(build) $out
    install -D -t $out/build/Release build/Release/keytar.node
+    runHook postInstall
  '';
 }
--- a/pkgs/applications/networking/instant-messengers/element/seshat/default.nix
+++ b/pkgs/applications/networking/instant-messengers/element/seshat/default.nix
@ -27,6 +27,7 @@ in rustPlatform.buildRustPackage rec {
  };

  buildPhase = ''
+    runHook preBuild
    cd ..
    chmod u+w . ./yarn.lock
    export HOME=$PWD/tmp
@ -36,16 +37,18 @@ in rustPlatform.buildRustPackage rec {
    yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
    patchShebangs node_modules/
    node_modules/.bin/neon build --release
+    runHook postBuild
  '';

  doCheck = false;

  installPhase = ''
+    runHook preInstall
    shopt -s extglob
    rm -rf native/!(index.node)
-    rm -rf node_modules
-    rm -rf $HOME
+    rm -rf node_modules $HOME
    cp -r . $out
+    runHook postInstall
  '';

  cargoSha256 = pinData.cargoHash;
--- a/pkgs/applications/networking/remote/remmina/default.nix
+++ b/pkgs/applications/networking/remote/remmina/default.nix
@ -7,6 +7,7 @@
 , openssl, gsettings-desktop-schemas, json-glib, libsodium, webkitgtk, harfbuzz
 # The themes here are soft dependencies; only icons are missing without them.
 , gnome
+, withLibsecret ? true
 }:

 with lib;
@ -29,15 +30,16 @@ stdenv.mkDerivation rec {
    freerdp libssh libgcrypt gnutls
    pcre2 libdbusmenu-gtk3 libappindicator-gtk3
    libvncserver libpthreadstubs libXdmcp libxkbcommon
-    libsecret libsoup spice-protocol spice-gtk libepoxy at-spi2-core
+    libsoup spice-protocol spice-gtk libepoxy at-spi2-core
    openssl gnome.adwaita-icon-theme json-glib libsodium webkitgtk
    harfbuzz
-  ];
+  ] ++ optionals withLibsecret [ libsecret ];

  cmakeFlags = [
    "-DWITH_VTE=OFF"
    "-DWITH_TELEPATHY=OFF"
    "-DWITH_AVAHI=OFF"
+    "-DWITH_LIBSECRET=${if withLibsecret then "ON" else "OFF"}"
    "-DFREERDP_LIBRARY=${freerdp}/lib/libfreerdp2.so"
    "-DFREERDP_CLIENT_LIBRARY=${freerdp}/lib/libfreerdp-client2.so"
    "-DFREERDP_WINPR_LIBRARY=${freerdp}/lib/libwinpr2.so"
--- a/pkgs/desktops/gnome/core/evince/default.nix
+++ b/pkgs/desktops/gnome/core/evince/default.nix
@ -44,6 +44,7 @@
 , libgxps
 , supportXPS ? true # Open XML Paper Specification via libgxps
 , withPantheon ? false
+, withLibsecret ? true
 }:

 stdenv.mkDerivation rec {
@ -103,13 +104,14 @@ stdenv.mkDerivation rec {
    libarchive
    libhandy
    librsvg
-    libsecret
    libspectre
    libxml2
    pango
    poppler
    t1lib
    texlive.bin.core # kpathsea for DVI support
+  ] ++ lib.optionals withLibsecret [
+    libsecret
  ] ++ lib.optionals supportXPS [
    libgxps
  ] ++ lib.optionals supportMultimedia (with gst_all_1; [
@ -126,6 +128,8 @@ stdenv.mkDerivation rec {
  mesonFlags = [
    "-Dnautilus=false"
    "-Dps=enabled"
+  ] ++ lib.optionals (!withLibsecret) [
+    "-Dkeyring=disabled"
  ];

  NIX_CFLAGS_COMPILE = "-I${glib.dev}/include/gio-unix-2.0";
--- a/pkgs/development/libraries/gvfs/default.nix
+++ b/pkgs/development/libraries/gvfs/default.nix
@ -108,6 +108,8 @@ stdenv.mkDerivation rec {
    "-Dkeyring=false"
    "-Dhttp=false"
    "-Dgoogle=false"
+  ] ++ lib.optionals (avahi == null) [
+    "-Ddnssd=false"
  ] ++ lib.optionals (samba == null) [
    # Xfce don't want samba
    "-Dsmb=false"
--- a/pkgs/development/libraries/webkitgtk/default.nix
+++ b/pkgs/development/libraries/webkitgtk/default.nix
@ -1,4 +1,5 @@
-{ lib, stdenv
+{ lib
+, stdenv
 , runCommand
 , fetchurl
 , perl
@ -44,7 +45,6 @@
 , lcms2
 , libmanette
 , openjpeg
-, enableGeoLocation ? true
 , geoclue2
 , sqlite
 , enableGLES ? true
@ -58,10 +58,10 @@
 , substituteAll
 , glib
 , addOpenGLRunpath
+, enableGeoLocation ? true
+, withLibsecret ? true
 }:

-assert enableGeoLocation -> geoclue2 != null;
-
 stdenv.mkDerivation rec {
  pname = "webkitgtk";
  version = "2.34.6";
@ -125,12 +125,8 @@ stdenv.mkDerivation rec {
    libidn
    libintl
    lcms2
-  ] ++ lib.optionals stdenv.isLinux [
-    libmanette
-  ] ++ [
    libnotify
    libpthreadstubs
-    libsecret
    libtasn1
    libwebp
    libxkbcommon
@ -155,28 +151,36 @@ stdenv.mkDerivation rec {
    # (We pick just that one because using the other headers from `sdk` is not
    # compatible with our C++ standard library. This header is already in
    # the standard library on aarch64)
-    runCommand "${pname}_headers" {} ''
+    runCommand "${pname}_headers" { } ''
      install -Dm444 "${lib.getDev apple_sdk.sdk}"/include/libproc.h "$out"/include/libproc.h
    ''
  ) ++ lib.optionals stdenv.isLinux [
    bubblewrap
    libseccomp
+    libmanette
    systemd
    wayland
    xdg-dbus-proxy
-  ] ++ lib.optional enableGeoLocation geoclue2;
+  ] ++ lib.optionals enableGeoLocation [
+    geoclue2
+  ] ++ lib.optionals withLibsecret [
+    libsecret
+  ];

  propagatedBuildInputs = [
    gtk3
    libsoup
  ];

-  cmakeFlags = [
+  cmakeFlags = let
+    cmakeBool = x: if x then "ON" else "OFF";
+  in [
    "-DENABLE_INTROSPECTION=ON"
    "-DPORT=GTK"
    "-DUSE_LIBHYPHEN=OFF"
    "-DUSE_WPE_RENDERER=OFF"
-    "-DUSE_SOUP2=${if lib.versions.major libsoup.version == "2" then "ON" else "OFF"}"
+    "-DUSE_SOUP2=${cmakeBool (lib.versions.major libsoup.version == "2")}"
+    "-DUSE_LIBSECRET=${cmakeBool withLibsecret}"
  ] ++ lib.optionals stdenv.isDarwin [
    "-DENABLE_GAMEPAD=OFF"
    "-DENABLE_GTKDOC=OFF"
@ -191,7 +195,9 @@ stdenv.mkDerivation rec {
    "-DUSE_SYSTEM_MALLOC=ON"
  ] ++ lib.optionals (!stdenv.isLinux) [
    "-DUSE_SYSTEMD=OFF"
-  ] ++ lib.optional (stdenv.isLinux && enableGLES) "-DENABLE_GLES2=ON";
+  ] ++ lib.optionals (stdenv.isLinux && enableGLES) [
+    "-DENABLE_GLES2=ON"
+  ];

  postPatch = ''
    patchShebangs .
--- a/pkgs/development/libraries/xdg-desktop-portal/default.nix
+++ b/pkgs/development/libraries/xdg-desktop-portal/default.nix
@ -1,22 +1,24 @@
-{ stdenv
-, lib
-, fetchFromGitHub
-, nixosTests
-, substituteAll
-, autoreconfHook
-, pkg-config
-, libxml2
-, glib
-, pipewire
-, flatpak
-, gsettings-desktop-schemas
+{ lib
 , acl
+, autoreconfHook
 , dbus
+, fetchFromGitHub
+, fetchpatch
+, flatpak
 , fuse
-, libportal
 , geoclue2
+, glib
+, gsettings-desktop-schemas
 , json-glib
+, libportal
+, libxml2
+, nixosTests
+, pipewire
+, pkg-config
+, stdenv
+, substituteAll
 , wrapGAppsHook
+, enableGeoLocation ? true
 }:

 stdenv.mkDerivation rec {
@ -42,26 +44,29 @@ stdenv.mkDerivation rec {

  nativeBuildInputs = [
    autoreconfHook
-    pkg-config
    libxml2
+    pkg-config
    wrapGAppsHook
  ];

  buildInputs = [
-    glib
-    pipewire
-    flatpak
    acl
    dbus
-    geoclue2
+    flatpak
    fuse
-    libportal
+    glib
    gsettings-desktop-schemas
    json-glib
+    libportal
+    pipewire
+  ] ++ lib.optionals enableGeoLocation [
+    geoclue2
  ];

  configureFlags = [
    "--enable-installed-tests"
+  ] ++ lib.optionals (!enableGeoLocation) [
+    "--disable-geoclue"
  ];

  makeFlags = [
--- a/pkgs/misc/cups/filters.nix
+++ b/pkgs/misc/cups/filters.nix
@ -1,13 +1,37 @@
-{ lib, stdenv, fetchurl, pkg-config, cups, poppler, poppler_utils, fontconfig
-, libjpeg, libpng, perl, ijs, qpdf, dbus, avahi
-, makeWrapper, coreutils, gnused, bc, gawk, gnugrep, which, ghostscript
-, mupdf, dejavu_fonts, liblouis
+{ lib
+, avahi
+, bc
+, coreutils
+, cups
+, dbus
+, dejavu_fonts
+, fetchurl
+, fontconfig
+, gawk
+, ghostscript
+, gnugrep
+, gnused
+, ijs
+, libjpeg
+, liblouis
+, libpng
+, makeWrapper
+, mupdf
+, perl
+, pkg-config
+, poppler
+, poppler_utils
+, qpdf
+, stdenv
+, which
+, withAvahi ? true
 }:

 let
-  binPath = lib.makeBinPath [ coreutils gnused bc gawk gnugrep which ];
+  binPath = lib.makeBinPath [ bc coreutils gawk gnused gnugrep which ];

-in stdenv.mkDerivation rec {
+in
+stdenv.mkDerivation rec {
  pname = "cups-filters";
  version = "1.28.11";

@ -19,10 +43,20 @@ in stdenv.mkDerivation rec {
  nativeBuildInputs = [ pkg-config makeWrapper ];

  buildInputs = [
-    cups poppler poppler_utils fontconfig libjpeg libpng perl
-    ijs qpdf dbus avahi ghostscript mupdf
+    cups
+    dbus
+    fontconfig
+    ghostscript
+    ijs
+    libjpeg
    liblouis # braille embosser support
-  ];
+    libpng
+    mupdf
+    perl
+    poppler
+    poppler_utils
+    qpdf
+  ] ++ lib.optionals withAvahi [ avahi ];

  configureFlags = [
    "--with-mutool-path=${mupdf}/bin/mutool"
@ -37,7 +71,7 @@ in stdenv.mkDerivation rec {
    "--with-test-font-path=${dejavu_fonts}/share/fonts/truetype/DejaVuSans.ttf"
    "--localstatedir=/var"
    "--sysconfdir=/etc"
-  ];
+  ] ++ lib.optionals (!withAvahi) [ "--disable-avahi" ];

  makeFlags = [ "CUPS_SERVERBIN=$(out)/lib/cups" "CUPS_DATADIR=$(out)/share/cups" "CUPS_SERVERROOT=$(out)/etc/cups" ];