Skip to content

Comments

Split pinentry flavours and enable udisks2 on install media again#49270

Closed
fpletz wants to merge 4 commits intoNixOS:masterfrom
mayflower:pinentry-cleanup
Closed

Split pinentry flavours and enable udisks2 on install media again#49270
fpletz wants to merge 4 commits intoNixOS:masterfrom
mayflower:pinentry-cleanup

Conversation

@fpletz
Copy link
Member

@fpletz fpletz commented Oct 27, 2018

Motivation for this change

Due to the udisks2 update in #41723 its closure size exploded and was subsequently disabled on installation media. This PR refactors the pinentry derivation to be able to split out the different flavours and adds a NixOS option to select the desired flavour with a sensible fallback depending on the configured desktop environment.

Also this disables GUI support in GnuPG by default to resolve the dependency cycle in gcr. This way we won't have two versions of GnuPG in all systems closures that include gcr (i.e. due to udisks2).

Finally, we can enable udisks2 on install mediums again.

Everything except the breaking GnuPG change can and should be backported to 18.03 imho.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@fpletz fpletz added 0.kind: enhancement Add something new or improve an existing system. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: closure size The final size of a derivation, including its dependencies 8.has: changelog This PR adds or changes release notes 8.has: clean-up This PR removes packages or removes other cruft labels Oct 27, 2018
@fpletz fpletz added this to the 19.03 milestone Oct 27, 2018
@fpletz fpletz mentioned this pull request Oct 27, 2018
8 tasks
@fpletz fpletz changed the title Split pinentry flavours and enable udisks2 on install mediums again Split pinentry flavours and enable udisks2 on install media again Oct 27, 2018
@GrahamcOfBorg GrahamcOfBorg added 6.topic: GNOME GNOME desktop environment and its underlying platform 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 101-500 This PR causes between 101 and 500 packages to rebuild on Linux. labels Oct 27, 2018
@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: gnupg, pinentry

Partial log (click to expand)

checking for references to /build in /nix/store/9fngglrik447154ij4aiz2wg47y15h6z-pinentry-1.1.0-gnome3...
shrinking RPATHs of ELF executables and libraries in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs
shrinking /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs/bin/pinentry-emacs
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs/bin
patching script interpreter paths in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs
checking for references to /build in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs...
postPatchMkspecs
/nix/store/ma2ns8m274f84ic9i2w2rdn0d4n04qzh-gnupg-2.2.10
/nix/store/bcm7g5xs9g4pikdjq50miiczhywq8m8r-pinentry-1.1.0

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: gnupg, pinentry

Partial log (click to expand)

checking for references to /build in /nix/store/qih13s7bkzxli6y0m16dnrhdr5lr1rjz-pinentry-1.1.0-gnome3...
shrinking RPATHs of ELF executables and libraries in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs
shrinking /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs/bin/pinentry-emacs
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs/bin
patching script interpreter paths in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs
checking for references to /build in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs...
postPatchMkspecs
/nix/store/m93misi8xklnnz6p5r231r9vyzyz9m7x-gnupg-2.2.10
/nix/store/5yb8czmnxvm8jb5x9dk8z95ah0cv2d1n-pinentry-1.1.0

@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: gnupg

The following builds were skipped because they don't evaluate on x86_64-darwin: pinentry

Partial log (click to expand)

make[1]: Leaving directory '/private/tmp/nix-build-gnupg-2.2.10.drv-0/gnupg-2.2.10'
post-installation fixup
gzipping man pages under /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/share/man/
strip is /nix/store/g5r4apl0za012ffs6ladinwa5w0m1l3k-cctools-binutils-darwin/bin/strip
stripping (with command strip and flags -S) in /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/lib  /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/libexec  /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/bin  /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/sbin
patching script interpreter paths in /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10
/nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/sbin/addgnupghome: interpreter directive changed from "/bin/sh" to "/nix/store/n9hba031gjky8hpjgx9fnlaxhidyzxbz-bash-4.4-p23/bin/sh"
/nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/sbin/applygnupgdefaults: interpreter directive changed from "/bin/sh" to "/nix/store/n9hba031gjky8hpjgx9fnlaxhidyzxbz-bash-4.4-p23/bin/sh"
moving /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/sbin/* to /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/bin
/nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10

This solves the dependency cycle in gcr alternatively so there won't be
two gnupg store paths in a standard NixOS system which has udisks2 enabled
by default.

NixOS users are expected to use the gpg-agent user service to pull in the
appropriate pinentry flavour or install it on their systemPackages and set
it in their local gnupg agent config instead.
This reverts commit 571fb74.

The dependencay on gtk2 was removed.
@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: gnupg

The following builds were skipped because they don't evaluate on x86_64-darwin: pinentry

Partial log (click to expand)

a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowUnsupportedSystem = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowUnsupportedSystem = true; }
to ~/.config/nixpkgs/config.nix.


/nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: gnupg, pinentry

Partial log (click to expand)

stripping (with command strip and flags -S) in /nix/store/qih13s7bkzxli6y0m16dnrhdr5lr1rjz-pinentry-1.1.0-gnome3/bin
patching script interpreter paths in /nix/store/qih13s7bkzxli6y0m16dnrhdr5lr1rjz-pinentry-1.1.0-gnome3
checking for references to /build in /nix/store/qih13s7bkzxli6y0m16dnrhdr5lr1rjz-pinentry-1.1.0-gnome3...
shrinking RPATHs of ELF executables and libraries in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs
shrinking /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs/bin/pinentry-emacs
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs/bin
patching script interpreter paths in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs
checking for references to /build in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs...
postPatchMkspecs

@dezgeg
Copy link
Contributor

dezgeg commented Oct 27, 2018

Is there an use case for having udisks2 in the installer anyway? The only user available is root and even if it weren't you'd have to use sudo anyway to run nixos-install.

Pinentry closure size drop is of course nice regardless.

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: gnupg, pinentry

Partial log (click to expand)

checking for references to /build in /nix/store/9fngglrik447154ij4aiz2wg47y15h6z-pinentry-1.1.0-gnome3...
shrinking RPATHs of ELF executables and libraries in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs
shrinking /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs/bin/pinentry-emacs
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs/bin
patching script interpreter paths in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs
checking for references to /build in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs...
postPatchMkspecs
/nix/store/ma2ns8m274f84ic9i2w2rdn0d4n04qzh-gnupg-2.2.10
/nix/store/bcm7g5xs9g4pikdjq50miiczhywq8m8r-pinentry-1.1.0

info = flavourInfo.${f};
inputs = info.buildInputs or [];
flag = flavourInfo.${f}.flag or null;
inputsSatifsfied = inputs == [] || all (f: !(isNull f)) inputs;
Copy link
Member

@jtojnar jtojnar Oct 27, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
inputsSatifsfied = inputs == [] || all (f: !(isNull f)) inputs;
inputsSatisfied = all (f: !(isNull f)) inputs;

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And !(isNull f) == ! isNull f

, libgpgerror, libassuan
, ncurses, gtk2, qt
, libcap ? null, libsecret ? null, gcr ? null
, flavours ? [ "curses" "tty" "gtk2" "qt" "gnome3" "emacs" ]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe use enabledFlavours or something?

'';
nativeBuildInputs = [ pkgconfig ];
buildInputs = [ libgpgerror libassuan libcap libsecret ]
++ flatten (flip map flavours (f: flavourInfo.${f}.buildInputs or []));
Copy link
Member

@jtojnar jtojnar Oct 27, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not just

Suggested change
++ flatten (flip map flavours (f: flavourInfo.${f}.buildInputs or []));
++ concatMap (f: flavourInfo.${f}.buildInputs or []) flavours;

Hopefully, there will not be multiple levels of nested lists.

ln -sf ${outputVar}/bin/${binary} ${outputVar}/bin/pinentry
''))
+ ''
ln -sf ${head flavours}/bin/pinentry-${flavourInfo.${head flavours}.bin} $out/bin/pinentry
Copy link
Member

@jtojnar jtojnar Oct 27, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should not this be

Suggested change
ln -sf ${head flavours}/bin/pinentry-${flavourInfo.${head flavours}.bin} $out/bin/pinentry
ln -sf ${"$" + head flavours}/bin/pinentry-${flavourInfo.${head flavours}.bin} $out/bin/pinentry

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we could even use placeholder now.

pinentry binary will be passed to gpg-agent via commandline and
thus overrides the pinentry option in gpg-agent.conf in the user's
home directory.
'';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe also mention the default behaviour.

@flokli
Copy link
Member

flokli commented Oct 31, 2018

@dezgeg

Is there an use case for having udisks2 in the installer anyway? The only user available is root and even if it weren't you'd have to use sudo anyway to run nixos-install.

Pinentry closure size drop is of course nice regardless.

According to @edolstra in #41723 (comment)

No, udisks should be the default on non-graphical systems, since you may still want to do things like mount USB sticks in a uniform way. We just shouldn't have insanity like depending on GTK+.


pinentry_gnome = self.pinentry.override {
qt = qt5.qtbase;
gcr = gnome3.gcr;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gcr is now part of top-level attribute set, this can be removed.


pinentry_qt5 = self.pinentry.override {
qt = qt5.qtbase;
pinentry_qt4 = pinentry.override {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not need QT4 variant. #33248

@flokli
Copy link
Member

flokli commented May 25, 2019

@fpletz can you rebase to latest master (especially #59190) and address the comments?

@worldofpeace
Copy link
Contributor

Ooh I like this feature, and definitely want this for 20.03.
Might finish this up 👍

@flokli
Copy link
Member

flokli commented Oct 13, 2019

Superseded by #71095.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

0.kind: enhancement Add something new or improve an existing system. 6.topic: closure size The final size of a derivation, including its dependencies 6.topic: GNOME GNOME desktop environment and its underlying platform 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: clean-up This PR removes packages or removes other cruft 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 101-500 This PR causes between 101 and 500 packages to rebuild on Linux.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants