New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add derivation for the virtualbox oracle extension pack #44896
Conversation
…n pack if enabled.
I should also ping @svanderburg since he is a maintainer for VirtualBox. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this PR!
What's your opinion on adding the vbox-test.nix
file mentioned in the PR description too, so somebody doing changes can locally run these tests (or a variant of the already existing virtualbox test, but calling it with virtualboxWithExtpack
)
@@ -18864,6 +18863,12 @@ with pkgs; | |||
headless = true; | |||
}); | |||
|
|||
virtualboxExtpack = callPackage ../applications/virtualization/virtualbox/extpack.nix { }; | |||
|
|||
virtualboxWithExtpack = lowPrio (virtualbox.override { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we want to have the lowPrio
here? Just to make it more deterministic if somebody installs both virtualbox
and virtualboxWithExtpack
which one will win?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@flokli Thanks for reviewing this!
To be honest, I'm actually not sure what role lowPrio
is playing.
You can't tell because Github cuts off the all-packages.nix
file, but there are actually a couple different versions of the virtualbox derivation:
virtualbox = callPackage ../applications/virtualization/virtualbox {
stdenv = stdenv_32bit;
inherit (gnome2) libIDL;
pulseSupport = config.pulseaudio or true;
};
virtualboxHardened = lowPrio (virtualbox.override {
enableHardening = true;
});
virtualboxHeadless = lowPrio (virtualbox.override {
enableHardening = true;
headless = true;
});
I setup virtualboxWithExtpack
to use lowPrio
because that's what virtualboxHardened
and virtualboxHeadless
derivations were doing.
I'm not sure if it is "correct" to use lowPrio
here or not.
If you think that lowPrio
shouldn't be used here, definitely let me know!
I'm relatively new with NixOS. This is the first non-trivial PR I've sent recently. I've seen that there are It looks like there is a section on testing in the NixOS manual, so I'll take a look at that and then take a look at the existing VirtualBox tests. |
<important><para> | ||
You must set <literal>nixpkgs.config.allowUnfree = true</literal> in | ||
order to use this. This requires you accept the VirtualBox PUEL. | ||
</para></important> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How is the license being accepted? It seems like it's possible to set config.allowUnfree = true
without having read the license. It's a blanked agreement to all unfree licenses. Usually EULA require an explicit approval (which is questionable, but that's what is happening).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One idea would be that the user has to provide the sha256 of the license as a "proof" that he read and accepted it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @zimbatm, thanks for taking a look at this PR.
How is the license being accepted?
Originally (the current state of nixpkgs), if you enable virtualization.virtualbox.host.enableExtensionPack
, nix-build
will fail and you are presented with a message telling you to read the PUEL and asking you to download the download the Oracle Extension Pack directly by using nix-prefetch-url
.
This PR changes it so that the license is accepted and the Extension Pack will be downloaded during nix-build
if you set both config.allowUnfree = true
and virtualization.virtualbox.host.enableExtensionPack = true
.
One idea would be that the user has to provide the sha256 of the license as a "proof" that he read and accepted it
As I said in the original issue, I don't know the legal ramifications of setting it up to work one way vs another way.
However, I'm not sure I understand the reasoning for handling the PUEL as a somewhat special case, and requiring the end user to do something like provide a sha256
of the license.
I took a look at another random non-free license, and it seems to have similar wording to the PUEL. Here is the Elastic License, which is used in the non-free version of kibana, logstash, etc:
https://github.com/elastic/elasticsearch/blob/master/licenses/ELASTIC-LICENSE.txt
Here is the PUEL for comparison:
https://www.virtualbox.org/wiki/VirtualBox_PUEL
Here is the page that allows you download the Extension Pack and links to the above license:
https://github.com/elastic/elasticsearch/blob/master/licenses/ELASTIC-LICENSE.txt
With that said, if everyone agrees that the PUEL is special in this regard, and we should do something like require the user to provide a sha256 of the license text, then I would be happy to change this PR to do that!
My main goal is to get rid of the manual steps in installing Virtualbox with the Extension Pack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a quick follow up, in the original issue, someone said that the license situation in nixpkgs would be much better if it worked like in Gentoo, where you could directly specify a list of licenses you accept.
This would all the end-user to, for instance, accept the PUEL and not accept the Elastic License.
I think this would probably be a better design, but unfortunately nixpkgs is not set up that way. Currently setting allowUnfree = true
implies acceptance of all the unfree licenses. I think that the PUEL should also be accepted by setting allowUnfree = true
, just like all the other unfree licenses.
Ideally, at some point in time, it would be changed to the more granular approach of Gentoo.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay so this is complementary. pkgs/stdenv/generic/check-meta.nix
there is a allowUnfreePredicate
that would allow to build a list of authorized licenses.
I think the issue is around the notion of explicit consent, a user should not be able to use software on which he hasn't agreed on the license. allowUnfree = true
is quite a low bar to say "Yes I have read and understand all the unfree license and I agree with all of them".
But like you say the mechanism is like that currently, it's independent and shouldn't hold back this PR.
In commit 2ae9907 I've added a test to make sure that the VirtualBox Extension Pack is successfully installed and can be used. This test can be run like the following: $ cd nixpkgs/nixos/tests/
$ nix-build virtualbox.nix -A enable-extension-pack You can run all the virtualbox tests like the following: $ nix-build virtualbox.nix |
This PR had a few conflicts with master. They have been fixed in commit e04e92d. Unless anyone else notices anything that can be majorly improved, I think this PR should be ready to be merged as-is. It would be great to get it merged in time for 18.09. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
@cdepillabout, @zimbatm: From the PUEL:
IANAL, but I think the PUEL is pretty clear about that, so I think we should not re-distribute the extension pack. Unfortunately since this adds a test with the extension pack activated, we now do exactly that: $ nix path-info --store https://cache.nixos.org/ --json /nix/store/6f470485gpl6ri8kv7dzii7nyngxk40d-Oracle_VM_VirtualBox_Extension_Pack-5.2.14-123301.vbox-extpack | jq
[
{
"path": "/nix/store/6f470485gpl6ri8kv7dzii7nyngxk40d-Oracle_VM_VirtualBox_Extension_Pack-5.2.14-123301.vbox-extpack",
"narHash": "sha256:03js53j30ddpfy1l7cg0qyr0iwnmmxv1qcjdnsrgyrf25javmxfw",
"narSize": 19589328,
"references": [],
"deriver": "/nix/store/3l4m8vjmf6rqjvzknxvn4lradjjlfdsm-Oracle_VM_VirtualBox_Extension_Pack-5.2.14-123301.vbox-extpack.drv",
"signatures": [
"cache.nixos.org-1:JW0RhCmX5Jn8/Zq5BAByVjXqMnyADKSLuPyeO9wPjtDvDIBIGlguijePcmDJzqcFPvBWqFIPxa2RNcB53nW5Bw=="
],
"url": "nar/1px2nyzd47x3hwc6z43ir3xvv2xhjc0saiw2ziyznbprs63zj7zs.nar.xz",
"downloadHash": "sha256:1px2nyzd47x3hwc6z43ir3xvv2xhjc0saiw2ziyznbprs63zj7zs",
"downloadSize": 19240484
}
] |
@aszlig Thanks for bringing this up. I didn't realize that adding a test with the extension pack would effectively add it to cache.nixos.org. Do you know of any way to keep the test (since it is generally useful), but make sure the extension pack is not cached on cache.nixos.org? Is there maybe some way to set the test as "do not run on cache.nixos.org"? It looks like there are other tests in nixos/tests that use code with a similar warning in the license. Specifically, the elk.nix code: Lines 1 to 7 in 7e0d2e9
Lines 103 to 113 in 7e0d2e9
If you specify https://github.com/elastic/elasticsearch/blob/master/licenses/ELASTIC-LICENSE.txt However, it looks like Maybe the virtualbox tests should be changed to work like this as well? (Also, this is only tangentially related, but I couldn't find an explanation of what the |
Hmm, the extpack test is now integrated inside the virtualbox vm tests, part of However, from my understanding, unfree derivations should not be evaluated on hydra (and for that reason not land in cache.nixos.org) - instead I'd have guessed this would have blocked channel advancement - not sure what went wrong here… We need to make sure this test gets skipped via hydra, either by putting it into a separate file not included from release.nix, or figuring out how to make hydra skip that specific test. |
good point @aszlig. @cdepillabout can you make another PR that disables the test if allowUnfree is turned off? |
I wonder why the NixOS tests will build tests with nonfree dependencies -- that seems like the real bug here. |
@grahamc: It won't, that's why this PR added nixpkgs.config.allowUnfree. |
@grahamc This PR is adding a derivation that will only compile if As I understand it, it seems like there are two problems:
|
I've created a PR to fix this issue: #45415 |
Motivation for this change
This PR implements the first stage of the plan laid out by @flokli for managing the VirtualBox Oracle Extension Pack as a separate derivation:
#34796 (comment)
Currently, the VirtualBox Oracle Extension Pack needs to be downloaded directly by the end-user with the command
nix-prefetch-url
. Thevirtualbox
derivation takes a booleanenableExtensionPack
flag that the user needs to set.This PR makes the following changes/additions:
free = false
. This means that only uses that haveconfig.allowUnfree = true
will be able to use it.all-packages.nix
file as an attribute calledvirtualboxExtpack
.virtualbox
derivation so that instead of taking in a boolean flag calledenableExtensionPack
, it instead just takes a derivation it callsextensionPack
. When specified, this will normally just be the top-levelvirtualboxExtpack
.virtualbox-host
module to enable the extension pack whenvirtualisation.virtualbox.host.enableExtensionPack
is set totrue
. This of course won't work unlessallowUnfree
is set totrue
.Note that as explained in #34796, the end-user will still have to compile VirtualBox on their own machine. However, they will NOT have to download the Oracle Extension Pack by hand. I see this as an improvement.
This PR lays the ground-work for future improvements around VirtualBox and the Oracle Extension Pack.
Here is a NixOps file that can be used to test this change:
And the corresponding
vbox-test.nix
file:Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)