virtualbox: discover extension packs at runtime #71127
Conversation
Also, always build with pulseaudio support if we're not building headless.
flokli
force-pushed
the
virtualbox-extpack
branch
from
d825d86
to
5c71013
Compare
|
TBH, what's really gained in hardening if it's from an imperative location? Isn't that just as poor as the environment variable? |
|
I suggest to solve this using a wrapper in one of the following ways:
|
|
@worldofpeace It can still be secure if we are careful that both with and without the extension pack, the trusted wrapper always sets |
| # Checksums can also be found at https://www.virtualbox.org/download/hashes/${version}/SHA256SUMS | ||
| let value = "27a0956940654b0accf4d79692078bd496d9f062e4ed3da69e5421cba8d1e444"; | ||
| in assert (builtins.stringLength value) == 64; value; | ||
| stdenv.mkDerivation rec { |
There was a problem hiding this comment.
Can’t we keep the fetchurl here?
There was a problem hiding this comment.
IIRC, Virtualbox wants to have that $pname in VBOX_EXTPACK_DIR. We could do all the extracting and moving around in the wrapper, but…
I also like it being a proper derivation, with all the ways to modify, fixup and patch(elf) it.
On top of that, we could start supporting multiple virtualbox extension packs.
The virtualbox derivation currently also produces a $out/libexec/virtualbox/ExtensionPacks/Oracle_VBoxDTrace_Extension_Pack - I'm not sure if anybody is using that, but moving it to a separate output and adding it to the list of exposed extpacks sounds useful.
|
Those are great ideas @ambrop72 ✨ |
|
I feel stupid commenting when there are much more knowledgeable people here but I have a question about:
Isn't the location of guest additions always known (even if guest additions aren't compiled)? The I should probably shut up ... |
|
closing due to #74503. I'll keep the branch around if anybody wants to pick this up. |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/virtualbox-keeps-getting-rebuilt/6612/4 |
Motivation for this change
Currently,
virtualboxwith extension pack andvirtualboxwithout extension pack need to be build separately, because it's just an argument in the same derivation leaving to a differentinstallPhase.As the extension pack is unfree (and unfree isn't built by hydra), this means users with extension pack enabled need to compile
virtualboxby themselves quite often.This changes virtualbox to load extension packs from a environment variable
VBOX_EXTPACK_DIR, so we can build virtualbox once by hydra, and let users of the extension pack just use the wrapper in front of it.See #34796 (comment) for the original idea.
However, this might not work with enabled hardening, as the environment variable will be ignored. To fix it there, we might want to hardcode
vboxExtpackDirto some imperative location changed during configuration switch, or replace the wrapper with something binary-patching the original virtualbox.This draft PR is also to get the discussion started.
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)Notify maintainers
cc @ambrop72 @xeji @cdepillabout