diff options
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/flatpak')
7 files changed, 484 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/flatpak/bubblewrap-paths.patch b/nixpkgs/pkgs/development/libraries/flatpak/bubblewrap-paths.patch new file mode 100644 index 000000000000..e0b6df195893 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/flatpak/bubblewrap-paths.patch @@ -0,0 +1,15 @@ +diff --git a/icon-validator/validate-icon.c b/icon-validator/validate-icon.c +index 9e885070..d02eeb8c 100644 +--- a/icon-validator/validate-icon.c ++++ b/icon-validator/validate-icon.c +@@ -156,8 +156,8 @@ rerun_in_sandbox (const char *arg_width, + "--unshare-ipc", + "--unshare-net", + "--unshare-pid", +- "--ro-bind", "/usr", "/usr", +- "--ro-bind-try", "/etc/ld.so.cache", "/etc/ld.so.cache", ++ "--ro-bind", "@storeDir@", "@storeDir@", ++ "--ro-bind", "/run/current-system", "/run/current-system", + "--ro-bind", validate_icon, validate_icon, + NULL); + diff --git a/nixpkgs/pkgs/development/libraries/flatpak/default.nix b/nixpkgs/pkgs/development/libraries/flatpak/default.nix new file mode 100644 index 000000000000..c992a6b0dfa2 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/flatpak/default.nix @@ -0,0 +1,202 @@ +{ lib, stdenv +, fetchurl +, autoreconfHook +, docbook_xml_dtd_45 +, docbook-xsl-nons +, which +, libxml2 +, gobject-introspection +, gtk-doc +, intltool +, libxslt +, pkg-config +, xmlto +, appstream-glib +, substituteAll +, bison +, xdg-dbus-proxy +, p11-kit +, bubblewrap +, bzip2 +, dbus +, glib +, gpgme +, json-glib +, libarchive +, libcap +, libseccomp +, coreutils +, socat +, gettext +, hicolor-icon-theme +, shared-mime-info +, desktop-file-utils +, gtk3 +, fuse +, nixosTests +, libsoup +, xz +, zstd +, ostree +, polkit +, python3 +, systemd +, xorg +, valgrind +, glib-networking +, wrapGAppsNoGuiHook +, dconf +, gsettings-desktop-schemas +, librsvg +, makeWrapper +}: + +stdenv.mkDerivation rec { + pname = "flatpak"; + version = "1.12.7"; + + # TODO: split out lib once we figure out what to do with triggerdir + outputs = [ "out" "dev" "man" "doc" "devdoc" "installedTests" ]; + + src = fetchurl { + url = "https://github.com/flatpak/flatpak/releases/download/${version}/${pname}-${version}.tar.xz"; + sha256 = "sha256-bbUqUxzieCgqx+v7mfZqC7PsyvROhkhEwslcHuW6kxY="; # Taken from https://github.com/flatpak/flatpak/releases/ + }; + + patches = [ + # Hardcode paths used by tests and change test runtime generation to use files from Nix store. + # https://github.com/flatpak/flatpak/issues/1460 + (substituteAll { + src = ./fix-test-paths.patch; + inherit coreutils gettext socat gtk3; + smi = shared-mime-info; + dfu = desktop-file-utils; + hicolorIconTheme = hicolor-icon-theme; + }) + + # Hardcode paths used by Flatpak itself. + (substituteAll { + src = ./fix-paths.patch; + p11kit = "${p11-kit.bin}/bin/p11-kit"; + }) + + # Adapt paths exposed to sandbox for NixOS. + (substituteAll { + src = ./bubblewrap-paths.patch; + inherit (builtins) storeDir; + }) + + # Allow gtk-doc to find schemas using XML_CATALOG_FILES environment variable. + # Patch taken from gtk-doc expression. + ./respect-xml-catalog-files-var.patch + + # Nix environment hacks should not leak into the apps. + # https://github.com/NixOS/nixpkgs/issues/53441 + ./unset-env-vars.patch + + # But we want the GDK_PIXBUF_MODULE_FILE from the wrapper affect the icon validator. + ./validate-icon-pixbuf.patch + ]; + + nativeBuildInputs = [ + autoreconfHook + libxml2 + docbook_xml_dtd_45 + docbook-xsl-nons + which + gobject-introspection + gtk-doc + intltool + libxslt + pkg-config + xmlto + appstream-glib + bison + wrapGAppsNoGuiHook + ]; + + buildInputs = [ + bubblewrap + bzip2 + dbus + dconf + gpgme + json-glib + libarchive + libcap + libseccomp + libsoup + xz + zstd + polkit + python3 + systemd + xorg.libXau + fuse + gsettings-desktop-schemas + glib-networking + librsvg # for flatpak-validate-icon + ]; + + # Required by flatpak.pc + propagatedBuildInputs = [ + glib + ostree + ]; + + checkInputs = [ + valgrind + ]; + + # TODO: some issues with temporary files + doCheck = false; + + NIX_LDFLAGS = "-lpthread"; + + enableParallelBuilding = true; + + configureFlags = [ + "--with-system-bubblewrap=${bubblewrap}/bin/bwrap" + "--with-system-dbus-proxy=${xdg-dbus-proxy}/bin/xdg-dbus-proxy" + "--with-dbus-config-dir=${placeholder "out"}/share/dbus-1/system.d" + "--localstatedir=/var" + "--enable-gtk-doc" + "--enable-installed-tests" + ]; + + makeFlags = [ + "installed_testdir=${placeholder "installedTests"}/libexec/installed-tests/flatpak" + "installed_test_metadir=${placeholder "installedTests"}/share/installed-tests/flatpak" + ]; + + postPatch = let + vsc-py = python3.withPackages (pp: [ + pp.pyparsing + ]); + in '' + patchShebangs buildutil + patchShebangs tests + PATH=${lib.makeBinPath [vsc-py]}:$PATH patchShebangs --build subprojects/variant-schema-compiler/variant-schema-compiler + ''; + + preFixup = '' + gappsWrapperArgs+=( + # Use flatpak from PATH in exported assets (e.g. desktop files). + --set FLATPAK_BINARY flatpak + ) + ''; + + passthru = { + tests = { + installedTests = nixosTests.installed-tests.flatpak; + }; + }; + + meta = with lib; { + description = "Linux application sandboxing and distribution framework"; + homepage = "https://flatpak.org/"; + license = licenses.lgpl21Plus; + maintainers = with maintainers; [ jtojnar ]; + platforms = platforms.linux; + }; +} diff --git a/nixpkgs/pkgs/development/libraries/flatpak/fix-paths.patch b/nixpkgs/pkgs/development/libraries/flatpak/fix-paths.patch new file mode 100644 index 000000000000..67f0d4eba71f --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/flatpak/fix-paths.patch @@ -0,0 +1,22 @@ +diff --git a/session-helper/flatpak-session-helper.c b/session-helper/flatpak-session-helper.c +index 5dd7629e..ddc71a4c 100644 +--- a/session-helper/flatpak-session-helper.c ++++ b/session-helper/flatpak-session-helper.c +@@ -693,7 +693,7 @@ start_p11_kit_server (const char *flatpak_dir) + g_auto(GStrv) stdout_lines = NULL; + int i; + char *p11_argv[] = { +- "p11-kit", "server", ++ "@p11kit@", "server", + /* We explicitly request --sh here, because we then fail on earlier versions that doesn't support + * this flag. This is good, because those earlier versions did not properly daemonize and caused + * the spawn_sync to hang forever, waiting for the pipe to close. +@@ -836,7 +836,7 @@ main (int argc, + exit (1); + } + +- if (g_find_program_in_path ("p11-kit")) ++ if (TRUE) + start_p11_kit_server (flatpak_dir); + else + g_debug ("p11-kit not found"); diff --git a/nixpkgs/pkgs/development/libraries/flatpak/fix-test-paths.patch b/nixpkgs/pkgs/development/libraries/flatpak/fix-test-paths.patch new file mode 100644 index 000000000000..dcba66681858 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/flatpak/fix-test-paths.patch @@ -0,0 +1,205 @@ +diff --git a/app/flatpak-builtins-build-export.c b/app/flatpak-builtins-build-export.c +index 43fd0563..4067bd36 100644 +--- a/app/flatpak-builtins-build-export.c ++++ b/app/flatpak-builtins-build-export.c +@@ -458,7 +458,7 @@ validate_desktop_file (GFile *desktop_file, + subprocess = g_subprocess_new (G_SUBPROCESS_FLAGS_STDOUT_PIPE | + G_SUBPROCESS_FLAGS_STDERR_PIPE | + G_SUBPROCESS_FLAGS_STDERR_MERGE, +- &local_error, "desktop-file-validate", path, NULL); ++ &local_error, "@dfu@/bin/desktop-file-validate", path, NULL); + if (!subprocess) + { + if (!g_error_matches (local_error, G_SPAWN_ERROR, G_SPAWN_ERROR_NOENT)) +diff --git a/tests/libtest.sh b/tests/libtest.sh +index acb2095b..b361da16 100644 +--- a/tests/libtest.sh ++++ b/tests/libtest.sh +@@ -431,7 +431,7 @@ if [ -z "${FLATPAK_BWRAP:-}" ]; then + # running installed-tests: assume we know what we're doing + _flatpak_bwrap_works=true + elif ! "$FLATPAK_BWRAP" --unshare-ipc --unshare-net --unshare-pid \ +- --ro-bind / / /bin/true > bwrap-result 2>&1; then ++ --ro-bind / / @coreutils@/bin/true > bwrap-result 2>&1; then + _flatpak_bwrap_works=false + else + _flatpak_bwrap_works=true +@@ -504,7 +504,7 @@ dbus-daemon --fork --config-file=session.conf --print-address=3 --print-pid=4 \ + export DBUS_SESSION_BUS_ADDRESS="$(cat dbus-session-bus-address)" + DBUS_SESSION_BUS_PID="$(cat dbus-session-bus-pid)" + +-if ! /bin/kill -0 "$DBUS_SESSION_BUS_PID"; then ++if ! @coreutils@/bin/kill -0 "$DBUS_SESSION_BUS_PID"; then + assert_not_reached "Failed to start dbus-daemon" + fi + +@@ -519,7 +519,7 @@ commit_to_path () { + } + + cleanup () { +- /bin/kill -9 $DBUS_SESSION_BUS_PID ++ @coreutils@/bin/kill -9 $DBUS_SESSION_BUS_PID + gpg-connect-agent --homedir "${FL_GPG_HOMEDIR}" killagent /bye || true + fusermount -u $XDG_RUNTIME_DIR/doc || : + kill $(jobs -p) &> /dev/null || true +diff --git a/tests/make-test-app.sh b/tests/make-test-app.sh +index 612f914f..4b890da2 100755 +--- a/tests/make-test-app.sh ++++ b/tests/make-test-app.sh +@@ -151,13 +151,13 @@ msgid "Hello world" + msgstr "Hallo Welt" + EOF + mkdir -p ${DIR}/files/de/share/de/LC_MESSAGES +-msgfmt --output-file ${DIR}/files/de/share/de/LC_MESSAGES/helloworld.mo de.po ++@gettext@/bin/msgfmt --output-file ${DIR}/files/de/share/de/LC_MESSAGES/helloworld.mo de.po + cat > fr.po <<EOF + msgid "Hello world" + msgstr "Bonjour le monde" + EOF + mkdir -p ${DIR}/files/fr/share/fr/LC_MESSAGES +-msgfmt --output-file ${DIR}/files/fr/share/fr/LC_MESSAGES/helloworld.mo fr.po ++@gettext@/bin/msgfmt --output-file ${DIR}/files/fr/share/fr/LC_MESSAGES/helloworld.mo fr.po + + flatpak build-finish ${DIR} + mkdir -p repos +diff --git a/tests/make-test-runtime.sh b/tests/make-test-runtime.sh +index af289625..7db51c17 100755 +--- a/tests/make-test-runtime.sh ++++ b/tests/make-test-runtime.sh +@@ -28,9 +28,10 @@ EOF + + # On Debian derivatives, /usr/sbin and /sbin aren't in ordinary users' + # PATHs, but ldconfig is kept in /sbin +-PATH="$PATH:/usr/sbin:/sbin" ++PATH="$PATH:@socat@/bin:/usr/sbin:/sbin" + + # Add bash and dependencies ++mkdir -p ${DIR}/nix/store + mkdir -p ${DIR}/usr/bin + mkdir -p ${DIR}/usr/lib + ln -s ../lib ${DIR}/usr/lib64 +@@ -40,40 +41,17 @@ if test -f /sbin/ldconfig.real; then + else + cp `which ldconfig` ${DIR}/usr/bin + fi +-LIBS=`mktemp` +-BINS=`mktemp` +- +-add_bin() { +- local f=$1 +- shift +- +- if grep -qFe "${f}" $BINS; then +- # Already handled +- return 0 +- fi +- +- echo $f >> $BINS +- +- # Add library dependencies +- (ldd "${f}" | sed "s/.* => //" | awk '{ print $1}' | grep ^/ | sort -u -o $LIBS $LIBS -) || true +- +- local shebang=$(sed -n '1s/^#!\([^ ]*\).*/\1/p' "${f}") +- if [ x$shebang != x ]; then +- add_bin "$shebang" +- fi +-} +- + for i in $@ bash ls cat echo readlink socat; do +- I=`which $i` +- add_bin $I +-done +-for i in `cat $BINS`; do +- #echo Adding binary $i 1>&2 +- cp "$i" ${DIR}/usr/bin/ +-done +-for i in `cat $LIBS`; do +- #echo Adding library $i 1>&2 +- cp "$i" ${DIR}/usr/lib/ ++ I=$(readlink -f $(which $i)) ++ [ -e ${DIR}/usr/bin/$i ] && continue ++ requisites=$(nix-store --query --requisites "$I") ++ for r in $requisites; do ++ # a single store item can be needed by multiple paths, no need to copy it again ++ if [ ! -e ${DIR}/$r ]; then ++ cp -r $r ${DIR}/$r ++ fi ++ done ++ ln -s $I ${DIR}/usr/bin/$i + done + ln -s bash ${DIR}/usr/bin/sh + +@@ -84,11 +62,13 @@ echo "Hello world, from a runtime$EXTRA" + EOF + chmod a+x ${DIR}/usr/bin/runtime_hello.sh + +-# We copy the C.UTF8 locale and call it en_US. Its a bit of a lie, but +-# the real en_US locale is often not available, because its in the +-# local archive. +-mkdir -p ${DIR}/usr/lib/locale/ +-cp -r /usr/lib/locale/C.* ${DIR}/usr/lib/locale/en_US ++# We do not copy C.UTF8 locale because it is in locale archive and ++# that is already copied with glibc. ++ ++mv ${DIR}/nix/store ${DIR}/usr/store # files outside /usr are not permitted, we will have to replace /nix/store with /usr/store ++chmod -R u+w ${DIR} # nix store has read-only directories which would cause problems during clean-up, files need to be writable for sed ++find ${DIR} -type f -print0 | xargs -0 sed -i 's~/nix/store/~/usr/store/~g' # replace hardcoded paths ++find ${DIR} -type l | xargs -I '{}' sh -c 'tg="$(readlink "$1")"; newtg="${tg#/nix/store/}"; if [ "$tg" != "$newtg" ]; then ln -fs "/usr/store/$newtg" "$1"; fi' -- '{}' # replace symlink targets + + if [ x$COLLECTION_ID != x ]; then + collection_args=--collection-id=${COLLECTION_ID} +diff --git a/tests/testlibrary.c b/tests/testlibrary.c +index 509ce6cc..6a333c9c 100644 +--- a/tests/testlibrary.c ++++ b/tests/testlibrary.c +@@ -1399,7 +1399,7 @@ check_bwrap_support (void) + { + gint exit_code = 0; + char *argv[] = { (char *) bwrap, "--unshare-ipc", "--unshare-net", +- "--unshare-pid", "--ro-bind", "/", "/", "/bin/true", NULL }; ++ "--unshare-pid", "--ro-bind", "/", "/", "@coreutils@/bin/true", NULL }; + g_autofree char *argv_str = g_strjoinv (" ", argv); + g_test_message ("Spawning %s", argv_str); + g_spawn_sync (NULL, argv, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, NULL, NULL, &exit_code, &error); +diff --git a/triggers/desktop-database.trigger b/triggers/desktop-database.trigger +index 2188f535..d8283061 100755 +--- a/triggers/desktop-database.trigger ++++ b/triggers/desktop-database.trigger +@@ -1,5 +1,5 @@ + #!/bin/sh + +-if test \( -x "$(which update-desktop-database 2>/dev/null)" \) -a \( -d $1/exports/share/applications \); then +- exec update-desktop-database -q $1/exports/share/applications ++if test \( -d $1/exports/share/applications \); then ++ exec @dfu@/bin/update-desktop-database -q $1/exports/share/applications + fi +diff --git a/triggers/gtk-icon-cache.trigger b/triggers/gtk-icon-cache.trigger +index 711cfab2..07baa2ac 100755 +--- a/triggers/gtk-icon-cache.trigger ++++ b/triggers/gtk-icon-cache.trigger +@@ -1,10 +1,10 @@ + #!/bin/sh + +-if test \( -x "$(which gtk-update-icon-cache 2>/dev/null)" \) -a \( -d $1/exports/share/icons/hicolor \); then +- cp /usr/share/icons/hicolor/index.theme $1/exports/share/icons/hicolor/ ++if test \( -d $1/exports/share/icons/hicolor \); then ++ cp @hicolorIconTheme@/share/icons/hicolor/index.theme $1/exports/share/icons/hicolor/ + for dir in $1/exports/share/icons/*; do + if test -f $dir/index.theme; then +- if ! gtk-update-icon-cache --quiet $dir; then ++ if ! @gtk3@/bin/gtk-update-icon-cache --quiet $dir; then + echo "Failed to run gtk-update-icon-cache for $dir" + exit 1 + fi +diff --git a/triggers/mime-database.trigger b/triggers/mime-database.trigger +index 2067d8ec..a49a8777 100755 +--- a/triggers/mime-database.trigger ++++ b/triggers/mime-database.trigger +@@ -1,5 +1,5 @@ + #!/bin/sh + +-if test \( -x "$(which update-mime-database 2>/dev/null)" \) -a \( -d $1/exports/share/mime/packages \); then +- exec update-mime-database $1/exports/share/mime ++if test \( -d $1/exports/share/mime/packages \); then ++ exec @smi@/bin/update-mime-database $1/exports/share/mime + fi diff --git a/nixpkgs/pkgs/development/libraries/flatpak/respect-xml-catalog-files-var.patch b/nixpkgs/pkgs/development/libraries/flatpak/respect-xml-catalog-files-var.patch new file mode 100644 index 000000000000..4cee60be2d07 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/flatpak/respect-xml-catalog-files-var.patch @@ -0,0 +1,15 @@ +diff --git a/acinclude.m4 b/acinclude.m4 +index 92ec3985..b3fccf1d 100644 +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -40,8 +40,8 @@ AC_DEFUN([JH_CHECK_XML_CATALOG], + [ + AC_REQUIRE([JH_PATH_XML_CATALOG],[JH_PATH_XML_CATALOG(,[:])])dnl + AC_MSG_CHECKING([for ifelse([$2],,[$1],[$2]) in XML catalog]) +- if $jh_found_xmlcatalog && \ +- AC_RUN_LOG([$XMLCATALOG --noout "$XML_CATALOG_FILE" "$1" >&2]); then ++ # empty argument forces libxml to use XML_CATALOG_FILES variable ++ if AC_RUN_LOG([$XMLCATALOG --noout "" "$1" >&2]); then + AC_MSG_RESULT([found]) + ifelse([$3],,,[$3 + ])dnl diff --git a/nixpkgs/pkgs/development/libraries/flatpak/unset-env-vars.patch b/nixpkgs/pkgs/development/libraries/flatpak/unset-env-vars.patch new file mode 100644 index 000000000000..6b8017684d45 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/flatpak/unset-env-vars.patch @@ -0,0 +1,12 @@ +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 146c4f87..bcdad2bc 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -1710,6 +1710,7 @@ static const ExportData default_exports[] = { + {"GST_PTP_HELPER", NULL}, + {"GST_PTP_HELPER_1_0", NULL}, + {"GST_INSTALL_PLUGINS_HELPER", NULL}, ++ {"GDK_PIXBUF_MODULE_FILE", NULL}, + }; + + static const ExportData no_ld_so_cache_exports[] = { diff --git a/nixpkgs/pkgs/development/libraries/flatpak/validate-icon-pixbuf.patch b/nixpkgs/pkgs/development/libraries/flatpak/validate-icon-pixbuf.patch new file mode 100644 index 000000000000..086114e11c30 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/flatpak/validate-icon-pixbuf.patch @@ -0,0 +1,13 @@ +diff --git a/icon-validator/validate-icon.c b/icon-validator/validate-icon.c +index 9e885070..44fea035 100644 +--- a/icon-validator/validate-icon.c ++++ b/icon-validator/validate-icon.c +@@ -200,6 +200,8 @@ rerun_in_sandbox (const char *arg_width, + add_args (args, "--setenv", "G_MESSAGES_DEBUG", g_getenv ("G_MESSAGES_DEBUG"), NULL); + if (g_getenv ("G_MESSAGES_PREFIXED")) + add_args (args, "--setenv", "G_MESSAGES_PREFIXED", g_getenv ("G_MESSAGES_PREFIXED"), NULL); ++ if (g_getenv ("GDK_PIXBUF_MODULE_FILE")) ++ add_args (args, "--setenv", "GDK_PIXBUF_MODULE_FILE", g_getenv ("GDK_PIXBUF_MODULE_FILE"), NULL); + + add_args (args, validate_icon, arg_width, arg_height, filename, NULL); + g_ptr_array_add (args, NULL); |