bubblejail: init at 0.9.4.1

[justDeeevin]

Bubblewrap based sandboxing for desktop applications.
Fixes #253256.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[justDeeevin]

Marked as draft because, for some reason, the build doesn't generate any actually executable files. It does place some files in $out/bin, but the files themselves don't have the executable flag. Unsure why this is, or how I can fix it.

[igo95862]

The execute flag is set here using install_mode kwargs:

https://github.com/igo95862/bubblejail/blob/047d1b8108016e3846aafea92671f0f881845126/tools/meson.build#L46

[igo95862]

Also to generate man pages your need to install scdoc before build.

[justDeeevin]

Also to generate man pages your need to install scdoc before build.

Adding scdoc to nativeBuildInputs does cause meson to attempt to generate the man pages, but it fails :(
It's complaining that there is no jinja2 module... despite the fact that it's able to successfully use jinja2 when building the main app.

---

The execute flag is set here using install_mode kwargs:

I'm a bit confused about how this would apply itself... are you saying there's a flag I need to give meson during install? Forgive me, I'm not very familiar with this build system.

[igo95862]

I'm a bit confused about how this would apply itself... are you saying there's a flag I need to give meson during install? Forgive me, I'm not very familiar with this build system.

The meson should be installing the files in the launch scripts in the rwxr-xr-x mode by default. However, now that I think of I am not sure how the shebang would be handled. Right now it is hardcoded as #!/usr/bin/python3.

[igo95862]

Adding scdoc to nativeBuildInputs does cause meson to attempt to generate the man pages, but it fails :(
It's complaining that there is no jinja2 module... despite the fact that it's able to successfully use jinja2 when building the main app.

Very strange. It seems to be using same python between jinja2_run.py and man_generator.py.

Maybe it has something to do with nativeBuildInputs vs dependencies.

[igo95862]

Also it seems like --prefix meson option is not being passed so it installs Python modules to the /usr/local/lib/bubblejail/python-packages.

There is a bit of a hack right now in there modules are installed. Because bubblejail is packaged on AUR it does not get rebuilt when there is a Python version upgrade. This means the site-packages folder it originally installed in would no longer be used once Python is upgraded. So I made it use a {prefix}/lib/bubblejail/python-packages folder using meson default arguments. This unfortunately means there is very little control where bubblejail's modules are installed. If you want to install in to the site-packages I recommend patching out theses lines that set the default arguments:

https://github.com/igo95862/bubblejail/blob/047d1b8108016e3846aafea92671f0f881845126/meson.build#L6-L9

[justDeeevin]

The meson should be installing the files in the launch scripts in the rwxr-xr-x mode by default.

For reference, the nix builder is running these commands, in order:

• meson setup /build/source /build/source/.mesonpy-8gjake6s -Dbuildtype=release -Db_ndebug=if-release -Db_vscrt=md --native-file=/build/source/.mesonpy-8gjake6s/meson-python-native-file.ini
• ninja

Full log

this derivation will be built:
  /nix/store/j0jsh9jf1nlqdgjjd7dgafsvmz2nmk84-bubblejail-0.9.4.1.drv
building '/nix/store/j0jsh9jf1nlqdgjjd7dgafsvmz2nmk84-bubblejail-0.9.4.1.drv'...
Sourcing python-remove-tests-dir-hook
Sourcing python-catch-conflicts-hook.sh
Sourcing python-remove-bin-bytecode-hook.sh
Sourcing pypa-build-hook
Using pypaBuildPhase
Sourcing python-runtime-deps-check-hook
Using pythonRuntimeDepsCheckHook
Sourcing pypa-install-hook
Using pypaInstallPhase
Sourcing python-imports-check-hook.sh
Using pythonImportsCheckPhase
Sourcing python-namespaces-hook
Sourcing python-catch-conflicts-hook.sh
Running phase: unpackPhase
unpacking source archive /nix/store/xd77pki8c04anh1krlgmdr1vzzd4vj05-source
source root is source
setting SOURCE_DATE_EPOCH to timestamp 315619200 of file source/tools/run_test_bubblejail.py
Running phase: patchPhase
applying patch /nix/store/rinp9i3k096wdl678nvwiq5byd54bjh0-scan-store.patch
patching file src/bubblejail/services.py
applying patch /nix/store/0a76vklaasn8ki4ymrc9x3ki9q93y88d-install-to-site-packages.patch
patching file meson.build
Running phase: updateAutotoolsGnuConfigScriptsPhase
Running phase: configurePhase
no configure script, doing nothing
Running phase: buildPhase
Executing pypaBuildPhase
Creating a wheel...
pypa build flags: --no-isolation --outdir dist/ --wheel
* Getting build dependencies for wheel...
* Building wheel...
+ meson setup /build/source /build/source/.mesonpy-8gjake6s -Dbuildtype=release -Db_ndebug=if-release -Db_vscrt=md --native-file=/build/source/.mesonpy-8gjake6s/meson-python-native-file.ini
The Meson build system
Version: 1.6.0
Source dir: /build/source
Build dir: /build/source/.mesonpy-8gjake6s
Build type: native build
Project name: bubblejail
Project version: 0.9.4.1
Host machine cpu family: x86_64
Host machine cpu: x86_64
Program python3 found: YES (/nix/store/c9m6yd8fg1flz2j5r4bif1ib5j20a0cy-python3-3.12.8/bin/python3.12)
Program scdoc found: NO
Program man_generator.py found: YES (/nix/store/c9m6yd8fg1flz2j5r4bif1ib5j20a0cy-python3-3.12.8/bin/python3.12 -B /build/source/docs/man_generator.py)
Program jinja2_run.py found: YES (/nix/store/c9m6yd8fg1flz2j5r4bif1ib5j20a0cy-python3-3.12.8/bin/python3.12 -B /build/source/tools/jinja2_run.py)
Build targets in project: 5

bubblejail 0.9.4.1

  User defined options
    Native files: /build/source/.mesonpy-8gjake6s/meson-python-native-file.ini
    b_ndebug    : if-release
    b_vscrt     : md
    buildtype   : release

Found ninja-1.12.1 at /nix/store/byvgvqlh007flwk940c99zfgzrjg0zsg-ninja-1.12.1/bin/ninja
+ /nix/store/byvgvqlh007flwk940c99zfgzrjg0zsg-ninja-1.12.1/bin/ninja
[3/3] Generating tools/bubblejail_gui_qt_launch with a custom command (wrapped by meson to capture output)
[31/31] /build/source/data/usr-share/bubblejail/profiles/transmission-gtk.toml
Successfully built bubblejail-0.9.4.1-py3-none-linux_x86_64.whl
Finished creating a wheel...
Finished executing pypaBuildPhase
Running phase: pythonRuntimeDepsCheckHook
Executing pythonRuntimeDepsCheck
Checking runtime dependencies for bubblejail-0.9.4.1-py3-none-linux_x86_64.whl
Finished executing pythonRuntimeDepsCheck
Running phase: installPhase
Executing pypaInstallPhase
Successfully installed bubblejail-0.9.4.1-py3-none-linux_x86_64.whl
Finished executing pypaInstallPhase
Running phase: pythonOutputDistPhase
Executing pythonOutputDistPhase
Finished executing pythonOutputDistPhase
Running phase: fixupPhase
shrinking RPATHs of ELF executables and libraries in /nix/store/wgknc3n39gr595s3gnq58qimb9i82n3c-bubblejail-0.9.4.1
checking for references to /build/ in /nix/store/wgknc3n39gr595s3gnq58qimb9i82n3c-bubblejail-0.9.4.1...
patching script interpreter paths in /nix/store/wgknc3n39gr595s3gnq58qimb9i82n3c-bubblejail-0.9.4.1
stripping (with command strip and flags -S -p) in  /nix/store/wgknc3n39gr595s3gnq58qimb9i82n3c-bubblejail-0.9.4.1/lib /nix/store/wgknc3n39gr595s3gnq58qimb9i82n3c-bubblejail-0.9.4.1/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/3az8hfwx3ihpgyixk7f9bir5fbhfy4wl-bubblejail-0.9.4.1-dist
checking for references to /build/ in /nix/store/3az8hfwx3ihpgyixk7f9bir5fbhfy4wl-bubblejail-0.9.4.1-dist...
patching script interpreter paths in /nix/store/3az8hfwx3ihpgyixk7f9bir5fbhfy4wl-bubblejail-0.9.4.1-dist
Executing pythonRemoveTestsDir
Finished executing pythonRemoveTestsDir
Running phase: installCheckPhase
no Makefile or custom installCheckPhase, doing nothing
Running phase: pythonCatchConflictsPhase
Running phase: pythonRemoveBinBytecodePhase
Running phase: pythonImportsCheckPhase
Executing pythonImportsCheckPhase
Check whether the following modules can be imported: bubblejail
/nix/store/wgknc3n39gr595s3gnq58qimb9i82n3c-bubblejail-0.9.4.1

Note that meson install is not being called, seemingly some other install method is happening. I will try to use a plain stdenv.mkDerivation call instead of makePythonApplication.

[igo95862]

Note that meson install is not being called, seemingly some other install method is happening.

This is probably what is causing this issue. Does Nix always skip install step when installing?

I will try to use a plain stdenv.mkDerivation call instead of makePythonApplication.

This could help. bubblejail is not a traditional Python application and is much closer to a regular meson project like systemd or mesa.

[justDeeevin]

Does Nix always skip install step when installing?

I think that the meson-python build system has some strange configurations... using the default meson build system with stdenv.mkDerivation is producing a successful build! man page generation with scdoc is still failing. I'm gonna focus on the executables for now.

---

However, now that I think of I am not sure how the shebang would be handled. Right now it is hardcoded as #!/usr/bin/python3.

This is, in fact, a problem. I'll have to patch the generated executables to use /usr/bin/env python3

[igo95862]

I think that the meson-python build system has some strange configurations... using the default meson build system with stdenv.mkDerivation is producing a successful build!

Bubblejail is actually older than meson-python. I used to ship my own byte code compiler until meson gained that functionality.

This is, in fact, a problem. I'll have to patch the generated executables to use /usr/bin/env python3

I originally wanted to use the /usr/bin/env python3 but the issue is I need to pass the -O flags to Python or it won't run in optimized mode and use the byte code. The GNU and FreeBSD env actually supports the -S flag can pass multiple arguments to the command but it does not look like busybox supports it.

You probably should also use the -S to set the proper optimization level for Python. #!/usr/bin/env -S python3 -{{ PYTHON_SHEBANG_SHORT_OPTS }}

https://github.com/igo95862/bubblejail/blob/047d1b8108016e3846aafea92671f0f881845126/templates/bubblejail_launch_base.py.jinja#L1

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nonstandard-build-procedure-for-python-app-how-to-properly-add-python-dependencies-when-using-mkderivation/58899/1

[igo95862]

@justDeeevin I saw your discourse post. Can you try patching default options lines out:

https://github.com/igo95862/bubblejail/blob/047d1b8108016e3846aafea92671f0f881845126/meson.build#L7

If you remove them. Bubblejail will install Python modules in to the site packages.

[igo95862]

Also I wonder if the -I flag needs to be removed from the shebang.

I added it so that the unwanted Python modules would not load from current directory but it might be interfering with how NixOS adds extra sys.path.

https://github.com/igo95862/bubblejail/blob/047d1b8108016e3846aafea92671f0f881845126/tools/meson.build#L16

[igo95862]

I would recommend using mkDerivation and removing the -I from shebang options.

[justDeeevin]

If you remove them. Bubblejail will install Python modules in to the site packages.

D'oh! I had forgotten this detail. This does indeed allow python to find the dependencies.

However, I have a new problem:

T_T

Removing the reference to PYTHON_SHEBANG_SHORT_OPTS from the base launch template doesn't have any effect. Although it does trigger an automatic patch post-build that substiutes /usr/bin/env python3 with the direct path to python3 in the nix store.

[igo95862]

Can you compare the Python's sys.path vs where bubblejail is installed?

[justDeeevin]

From $PYTHONPATH:

• /nix/store/hmyz183q278bn7avxvf00x0zjr81qqm2-python3.12-jinja2-3.1.4/lib/python3.12/site-packages
• /nix/store/rz4mdpvx9pjdgi0qhn7bkl7qz3l34kk9-python3.12-markupsafe-3.0.2/lib/python3.12/site-packages
• /nix/store/c9m6yd8fg1flz2j5r4bif1ib5j20a0cy-python3-3.12.8/lib/python3.12/site-packages
• /nix/store/2b4nwr50g08b1j5c1ixbf419sjp33kdc-meson-1.6.0/lib/python3.12/site-packages
• /nix/store/dsxf3174grniwckm2dlgmwylp9c6jdzi-python3.12-pyxdg-0.28/lib/python3.12/site-packages
• /nix/store/vpv2ld1n1dplha1jjkwkcxpbld5xwaxq-python3.12-tomli-w-1.0.0/lib/python3.12/site-packages
• /nix/store/an315jicdd5qg6jx5ilg6zlvw2bkblak-python3.12-pyqt6-sip-13.8.0/lib/python3.12/site-packages
• /nix/store/dlrgnsr6hg8md1zrzm3rw1fndi3mn72m-python3.12-dbus-python-1.3.2/lib/python3.12/site-packages
• /nix/store/g0g6j6bqpd1a1d3brsgg701nh2zrnnsy-python3.12-pyqt6-6.8.0/lib/python3.12/site-packages
• /nix/store/n1nx0f8qj0rwr75g08iqf44n2wjb5vgg-python3.12-lxns-0.1.0/lib/python3.12/site-packages

[justDeeevin]

Bubblejail exists at /nix/store/nry0s0qsm474x15kzhggmck1p6fhj7lp-bubblejail-0.9.4.1/lib/python3.12/site-packages

[igo95862]

So it didn't add /nix/store/nry0s0qsm474x15kzhggmck1p6fhj7lp-bubblejail-0.9.4.1/lib/python3.12/site-packages bubblejail to sys.path. Not familiar how NixOS handles the sys.path but this is clearly the source of the issues.

[justDeeevin]

*Caveat: I got the PYTHONPATH by entering a nix shell for the package, which is to say that I gave you the PYTHONPATH used at build-time. Those items aren't all necessarily what python has access to at runtime.

Nevertheless, this is almost certainly the problem. I'll see what I can do.

[justDeeevin]

I think I might be able to have two separate packages here: one for bubblejail's library (placed in pkgs.python3Packages.bubblejail), and one for its executables (placed in pkgs.bubblejail). This way, I can directly include the library output of bubblejail in the buildInputs of the app.

[justDeeevin]

T_T

Thinking that maybe I could get away with using buildPythonPackage after all...

[justDeeevin]

I think I might be able to have two separate packages here

didn't work.

i'm at my wit's end.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/include-a-packages-python-library-in-the-pythonpath-of-the-packages-application/58914/1

[igo95862]

Apparently there is some kind of python3.pkgs.makePythonPath which will create a PYTHONPATH environment variable with passed packages:

https://discourse.nixos.org/t/get-pythonpath-from-pkgs-python3-withpackages/6076/2