dbus: 1.14.10 → 1.16.2

[jtojnar]

https://gitlab.freedesktop.org/dbus/dbus/-/compare/dbus-1.14.10...dbus-1.16.2

This includes:

• Switch from Autotools to Meson
  • Since Meson does not support separate installFlags, we would either need to use DESTDIR, or patch the build system. I chose the latter since we want to keep the $out as close to FHS as possible to avoid confusion, and moving a subset of content of $out/etc back to $out/share would be annoying.
  • libaudit started to require libcap-ng.
  • xmlto was replaced by xsltproc.
  • Extra docs builds, disabled for now due to dependency requirements.

In the package definition:

• Use finalAttrs.
• Move postPatch to the bottom and outputs to the top.
• Use --replace-fail with substitute.
• Make getgrouplist unconditional.

Things done

• Skimmed through upstream diff
• Read upstream NEWS
  • If meson install is run as root, and traditional (non-systemd)
    activation is enabled, the ownership and setuid permission of
    dbus-daemon-launch-helper are not set automatically.
    This is not the same as the historical behaviour of the Autotools build
    system, which would set the ownership and permissions automatically if
    run as uid 0.
    The ownership and permissions must now be set by OS distribution packaging,
    or as a manual post-installation step if dbus is installed directly
    without going via a packaging system (which is not recommended).
    We do this in NixOS module
  • On Unix, the well-known system bus socket is in the runtime state
    directory by default (normally /run)
    (see 1.15.4 for more details)
    We symlink /var/run to /run
  • On Linux with systemd, dbus-daemon starts as the target user/group
    (retaining CAP_AUDIT_WRITE) instead of starting as root and
    dropping privileges
    Looks fine, do not see anything that could cause issues
• Skimmed through diffs of package outputs
• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[LordGrimmauld]

Hey! Whats the status on this? dbus 1.1410 is two years out of date, with a couple of CVEs making an appearance.

[jtojnar]

I still need to review the upstream changes. It is currently on backburner until we finish #386514

[hale]

Thoughts on adding label 1.severity: security to this given the CVE?

https://nvd.nist.gov/vuln/detail/CVE-2019-12749

[LordGrimmauld]

Thoughts on adding label 1.severity: security to this given the CVE?

https://nvd.nist.gov/vuln/detail/CVE-2019-12749

How exactly does that affect 1.14.10? It only lists vulnerable versions up to 1.13.x.

[hale]

Sorry yes, you're right - was confused by DAST false positives; thanks.

[adamcstephens]

@jtojnar are you still working on this?

[jtojnar]

I actually intended to pick this up last weekend but then got side tracked. Will try to do it the upcoming weekend.

[xinyangli]

It's nice if we could get this merged into current staging. Polkit 127 update (#473068) currently in staging requires dbus 1.15.7 for the new persistent authentication feature to work. We might have to implement some checks in the polkit module to warn the users about this if dbus remains at 1.14.10 in this staging.

[jtojnar]

Resolved conflicts and skimmed the upstream diff, looks okay to me but did not test it in any way other than building it.

[adamcstephens]

I picked some random nixosTests that had dbus in their test definitions, but needed to apply this patch to get libjack2 to build:

𑁱 git --no-pager diff
diff --git i/pkgs/by-name/ja/jack2/package.nix w/pkgs/by-name/ja/jack2/package.nix
index 5ff5b4b47661..5f460514b1d7 100644
--- i/pkgs/by-name/ja/jack2/package.nix
+++ w/pkgs/by-name/ja/jack2/package.nix
@@ -16,6 +16,7 @@

   # Optional Dependencies
   dbus ? null,
+  expat, # for dbus
   libffado ? null,
   alsa-lib ? null,

@@ -66,6 +67,7 @@ stdenv.mkDerivation (finalAttrs: {
     optLibffado
     optAlsaLib
   ]
+  ++ lib.optionals (optDbus != null) [ expat ]
   ++ lib.optionals stdenv.hostPlatform.isDarwin [
     aften
   ]

After adding that patch I was able to build these on x86_64-linux.

nix build -f . nixosTests.switchTest nixosTests.restic nixosTests.dconf nixosTests.wpa_supplicant --print-out-paths
Finished at 18:33:16 after 1m13s
/nix/store/8qamp42wqqzcr1p6x0fggjgkfzhrcxdn-vm-test-run-switch-test
/nix/store/bqasg5gygfaamxvd5v61r6k0w9bnddmp-vm-test-run-restic
/nix/store/06y75n34bmv8ww9bvvsm1pyfxv9dmwqp-vm-test-run-dconf
/nix/store/ry74zfm4y19kgcldzdpcy4h52y6qqzis-vm-test-run-wpa_supplicant-basic
/nix/store/ip13yjif88sm9bxdk57a3mrq90nd5yl1-vm-test-run-wpa_supplicant-mixed-using-sae
/nix/store/j9raiip1b9gsvqnaarxngaczj1advcwd-vm-test-run-wpa_supplicant-mixed-using-wpa2
/nix/store/zsfvfqwzlxm0gcss5kc02myglyrgmwy1-vm-test-run-wpa_supplicant-imperative
/nix/store/qd6r0mqb2n0wlcyl1rymar2dfq7727l0-vm-test-run-wpa_supplicant-sae-only
/nix/store/m1hsd78h7wsz1247xvzm7i18j7q39pyj-vm-test-run-wpa_supplicant-bssid-guard
/nix/store/6rghbiq8qw2r3iygx8p40zlri260vwi9-vm-test-run-wpa_supplicant-legacy

[jtojnar]

Thanks, added the patch.

[philiptaron]

Fixed build in #484488