Add support for Brother MFC-L2700DN #25654
Conversation
| mkdir -p $out/share/cups/model | ||
|
|
||
| ln $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN $out/lib/cups/filter | ||
| ln $dir/cupswrapper/brother-MFCL2700DN-cups-en.ppd $out/share/cups/model |
There was a problem hiding this comment.
I am not quite sure, if nix handles hard-links properly. Does a symlink -s also works here?
There was a problem hiding this comment.
Nix handles hard-links properly.
| coreutils ghostscript gnugrep gnused which | ||
| ]} | ||
|
|
||
| interpreter=${stdenv.cc.libc.out}/lib/ld-linux.so.2 |
There was a problem hiding this comment.
interpreter="$(cat $NIX_CC/nix-support/dynamic-linker)"
is a little bit more portable.
There was a problem hiding this comment.
Thanks! Haven't seen that construct before.
| homepage = "http://www.brother.com/"; | ||
| license = stdenv.lib.licenses.unfree; | ||
| maintainers = [ stdenv.lib.maintainers.tv ]; | ||
| platforms = stdenv.lib.platforms.linux; |
There was a problem hiding this comment.
The binary package added is i386-specific. This should be limited here.
| name = "mfcl2700dncupswrapper-${meta.version}"; | ||
|
|
||
| src = fetchurl { | ||
| url = "http://download.brother.com/welcome/dlf102086/${name}.i386.deb"; |
There was a problem hiding this comment.
Is there also an 64-bit package available?
| homepage = "http://www.brother.com/"; | ||
| license = stdenv.lib.licenses.gpl2Plus; | ||
| maintainers = [ stdenv.lib.maintainers.tv ]; | ||
| platforms = stdenv.lib.platforms.linux; |
There was a problem hiding this comment.
same platform restriction as below.
There was a problem hiding this comment.
Despite its source archive name, mfcl2700dncupswrapper contains just generic Perl scripts and a PPD file.
| substituteInPlace $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN \ | ||
| --replace /usr/bin/perl ${perl}/bin/perl \ | ||
| --replace "basedir =~" "basedir = \"$basedir\"; #" \ | ||
| --replace "PRINTER =~" "PRINTER = \"MFCL2700DN\"; #" |
There was a problem hiding this comment.
There is a symlink racecondition vulnerability in this wrapper code. I will make a pull request to harden cups against these kind of attacks.
printer driver and wrapper are often not written with security in mind. While reviewing NixOS#25654 I found a symlink-race vulnerability within the wrapper code, when writing unique files in /tmp. I expect this script to be reused in other models as well as similar vulnerabilities in the code of other vendors. Therefore I propose to make /tmp of cups.service private so that only processes with the same privileges are able to access these files.
|
|
||
| nativeBuildInputs = [ dpkg makeWrapper ]; | ||
|
|
||
| phases = [ "installPhase" ]; |
There was a problem hiding this comment.
@FRidh doesn't like skipping phases like this, although it's documented in the manual as a method to do things. Not sure what others think about it.
There was a problem hiding this comment.
@0xABAB the attribute phases is documented mentioning it can be used for skipping phases but I don't think its explicitly recommended to use it for skipping phases. The issue is that sometimes logic in some of the phases is needed but not executed because the phases are introduced. A common case is multiple outputs.
There was a problem hiding this comment.
So what's your suggestion here?
| --replace "basedir =~" "basedir = \"$basedir\"; #" \ | ||
| --replace "PRINTER =~" "PRINTER = \"MFCL2700DN\"; #" | ||
|
|
||
| wrapProgram $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN \ |
There was a problem hiding this comment.
Why quote $dir here when $out isn't quoted anywhere? Only reason I could imagine is ShellCheck complaining :)
|
|
||
| nativeBuildInputs = [ dpkg makeWrapper ]; | ||
|
|
||
| phases = [ "installPhase" ]; |
| --replace "BR_PRT_PATH =~" "BR_PRT_PATH = \"$dir\"; #" \ | ||
| --replace "PRINTER =~" "PRINTER = \"MFCL2700DN\"; #" | ||
|
|
||
| wrapProgram $dir/lpd/filter_MFCL2700DN \ |
Motivation for this change
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)