python3Packages.{mautrix,matrix-nio}: add withOlm flags

[emilazy]

Description of changes

An alternate approach to #336694. This has some nice properties: we don’t have to fish into dependency trees or fiddle around with hacks like overriding knownVulnerabilities, Hydra never builds libolm, but all available functionality of the library can be tested. The disabled tests and patching are what we’d have to do if we went the route of never testing Olm functionality anyway.

On the other hand, the definition of olmAllowed is kind of gross? It might be better if these packages took a configuration argument directly asking whether they’re going to be used with E2E, and set their dependencies and tests accordingly. Not sure. Putting it up here for review. I did this.

cc @AndrewKvalheim

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[emilazy]

Okay, I made this more normal and just added withOlm flags. This is recommended against in the Python documentation because it can result in conflicting versions, but it seems to be the only approach that lets us continue to run the encryption‐related tests when the functionality is going to be exercised without weird hacks. The result looks like an okay compromise to me now and should clear up the issues. It’s possible that I missed a package expecting the E2E functionality when adding the overrides, but I tried to be thorough. I’d appreciate it if you could take a look, @AndrewKvalheim @antifuchs.

Once this is merged and backported I’ll go ahead with #335189, as the fallout so far seems to have been minimal except for the mistake with element-desktop and these Python libraries.

Result of nixpkgs-review pr 336901 run on x86_64-linux 1

19 packages built:

• heisenbridge
• heisenbridge.dist
• home-assistant-component-tests.matrix
• python311Packages.matrix-nio
• python311Packages.matrix-nio.dist
• python311Packages.mautrix (python311Packages.mautrix-appservice)
• python311Packages.mautrix.dist (python311Packages.mautrix-appservice.dist)
• python311Packages.zulip
• python311Packages.zulip.dist
• python312Packages.matrix-nio
• python312Packages.matrix-nio.dist
• python312Packages.mautrix (python312Packages.mautrix-appservice)
• python312Packages.mautrix.dist (python312Packages.mautrix-appservice.dist)
• python312Packages.zulip
• python312Packages.zulip.dist
• visidata
• visidata.dist
• zulip-term
• zulip-term.dist

Result of nixpkgs-review pr 336901 --extra-nixpkgs-config '{ allowInsecurePredicate = x: true; }' run on x86_64-linux 1

36 packages built:

• heisenbridge
• heisenbridge.dist
• home-assistant-component-tests.matrix
• matrix-commander
• matrix-commander.dist
• maubot (python312Packages.maubot)
• maubot.dist (python312Packages.maubot.dist)
• mautrix-facebook
• mautrix-facebook.dist
• mautrix-googlechat
• mautrix-googlechat.dist
• mautrix-telegram
• mautrix-telegram.dist
• opsdroid
• opsdroid.dist
• pantalaimon
• pantalaimon-headless
• pantalaimon-headless.dist
• pantalaimon.dist
• python311Packages.matrix-nio
• python311Packages.matrix-nio.dist
• python311Packages.mautrix (python311Packages.mautrix-appservice)
• python311Packages.mautrix.dist (python311Packages.mautrix-appservice.dist)
• python311Packages.zulip
• python311Packages.zulip.dist
• python312Packages.matrix-nio
• python312Packages.matrix-nio.dist
• python312Packages.mautrix (python312Packages.mautrix-appservice)
• python312Packages.mautrix.dist (python312Packages.mautrix-appservice.dist)
• python312Packages.zulip
• python312Packages.zulip.dist
• visidata
• visidata.dist
• weechatScripts.weechat-matrix
• zulip-term
• zulip-term.dist

[Ma27]

It's a Python library, so is it really that much of an effort to allow-list it in one's nixpkgs config and build it yourself? Is the use-case to just build nio without the whitelisting?

I don't have a strong opinion on that as long as we don't ship any packages like mautrix-* w/o encryption by default, just trying to understand what we want to achieve :)

This is recommended against in the Python documentation because it can result in conflicting versions

cc @mweinelt

[SuperSandro2000]

We can turn this into a real extra

https://github.com/mautrix/python/blob/v0.20.6/setup.py#L33

[emilazy]

No, I don’t think we can. That’s how it was before, but then we can’t see within the package whether it’s enabled, so we can’t conditionalize the tests on it, so it defeats the whole point of this change.

[emilazy]

Or is the idea that the optional-dependencies would still be there but the withOlm flag would gate the tests? That would mean that downstream consumers could forget to enable it and be using untested functionality, but I guess there’s unlikely to be new ones added.

[SuperSandro2000]

and then use mautrix.optional-dependencies.encryption here

[SuperSandro2000]

Suggested change

	++ lib.optionals withOlm [
	atomicwrites
	cachetools
	python-olm
	peewee
	];
	lib.optionals withOlm optional-dependencies.e2

[SuperSandro2000]

This is recommended against in the Python documentation because it can result in conflicting versions, but it seems to be the only approach that lets us continue to run the encryption‐related tests when the functionality is going to be exercised without weird hacks.

We want to do that and it should now be catched by our hooks in case we mix things.

Also test dependencies don't mix with the normal ones so that should be even less of an issue.

[emilazy]

It's a Python library, so is it really that much of an effort to allow-list it in one's nixpkgs config and build it yourself? Is the use-case to just build nio without the whitelisting?

I don't have a strong opinion on that as long as we don't ship any packages like mautrix-* w/o encryption by default, just trying to understand what we want to achieve :)

I’m just trying to fix #336052 and the like. You shouldn’t get a security warning for the packages that already don’t use the E2E functionality and aren’t going to exercise anything from libolm.

[mweinelt]

The optional-dependencies definition must stay.

[emilazy]

I’ve pushed a change that restores the optional-dependencies but should hopefully still maintain all the desired properties; please take a look. I can also just unconditionally disable the Olm‐related tests if people would prefer to not do anything at all weird here, but it makes me a little uneasy given that Hydra is not going to flag up any issues with those configurations.

[emilazy]

Bumping this as it’s the main remaining blocker to the 24.05 libolm backport.

[Ma27]

You shouldn’t get a security warning for the packages that already don’t use the E2E functionality and aren’t going to exercise anything from libolm

Fair.
My main objectives still seem to be kept (no downgrade of defaults for bridges, no silence of security warnings when using said bridges with libolm).

---

There are two things we should probably address before merging.

[Ma27]

I don't particularly like it, but I'm fine if this gets merged.

Implementation-wise the change looks correct.

[emilazy]

I also don’t particularly like it :) But I can’t think of a better compromise and I don’t want more packages than necessary to be marked insecure by this, so merging.

[github-actions]

Backport failed for release-24.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-24.05
git worktree add -d .worktree/backport-336901-to-release-24.05 origin/release-24.05
cd .worktree/backport-336901-to-release-24.05
git switch --create backport-336901-to-release-24.05
git cherry-pick -x 1b07c5eb2fb21d56ab17ab33dec62101156ce799 90b75a1f393735769f0e9a2d232c02b5dc9115bc 343ad0ee4a1342ba18edcf67df4d9d46104d13dd