globalprotect-openconnect_2: init at 2.3.9

[m1dugh]

The version 2 of globalprotect-openconnect

The package already exists in the registry, however, the version adds considerable breaking changes including
api keys for the frontend.

Things done

• Built on platform(s)

  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin

• Tested, as applicable:

  • x86_64-linux
  • aarch64-linux

• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage

• Tested basic functionality of all binary files (usually in ./result/bin/)

• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)

  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module

• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to [pull requests you find important].

[m1dugh]

Result of nixpkgs-review pr 350777 run on x86_64-linux 1

[m1dugh]

Result of nixpkgs-review pr 350777 run on x86_64-linux 1

[m1dugh]

@tomodachi94 If ever you have time to check out this pr ❤️

[tomodachi94]

I'll take a look in a little bit ❤️ thanks for the ping. Another good reviewer would be the maintainer of the regular (globalprotect-openconnect) package, if it exists.

[jerith666]

At first glance this looks like a partial duplicate of #316526 by @Binary-Eater, though that work didn't attempt to package the GUI.

Not sure whether it makes sense to try using this packaging of the GUI with the existing packaging of gpauth & gpclient, or if this packaging of everything is more self-consistent.

I haven't tried this locally yet but will try to find time for that soon.

[m1dugh]

Turns out the gui cannot be compiled with rust as the sources are not available on the github.
Only the binary is available.

[m1dugh]

I feel like, if the gui is used, it makes sense to have all the binaries in one package since gpclient relies on the rest of the binaries to work properly with the gui:

• gpclient calls gpservice
• which calls gpgui in turn
• and so on

[m1dugh]

@wegank The whole package is released under GPL3.0 license I guess 🤔 ? Maybe we could merge your changes from #316526 into the same package, however, removing the original package is harsh for people using the gui without willing to pay for the license I feel .

[Binary-Eater]

The license for the GUI component is not GPLv3 while the rest of the components are. That messiness is main reason why I avoided touching the GUI in packaging work for v2. Since v1 is unmaintained, I did not feel comfortable persisting it.

[Binary-Eater]

That said, I would be more keen on bringing back the v1 globalprotect-openconnect as a separate package than dealing with the proprietary licensed and paidware gui for v2.

[m1dugh]

Maybe we can change the license of the v2 full package to unfree, whilst keeping your packaged version of gpclient and gpauth as gpl3 packages, but I feel like the gui is a nice add to the packages and it requires gpservice which is unpackaged as of now.

[Binary-Eater]

The new changes do not work since the copied desktop entry will need to be patched using substituteInPlace.

❯ sudo -E gpclient connect --default-browser XXXX
Place your right index finger on the fingerprint reader
Failed to match fingerprint
Place your right index finger on the fingerprint reader
[2024-11-13T20:32:26Z INFO  gpclient::cli] gpclient started: 2.3.9 (2024-11-13)
[2024-11-13T20:32:26Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2024-11-13T20:32:26Z INFO  gpapi::portal::prelogin] Perform prelogin, user_agent: PAN GlobalProtect
[2024-11-13T20:32:28Z INFO  gpauth::cli] gpauth started: 2.3.9 (2024-11-13)
[2024-11-13T20:32:28Z INFO  gpapi::process::browser_authenticator] Launching the default browser...
[2024-11-13T20:32:28Z INFO  gpauth::cli] Please continue the authentication process in the default browser
[2024-11-13T20:32:28Z INFO  gpauth::cli] Listening authentication data on port 36861
[2024-11-13T20:32:28Z INFO  gpauth::cli] If it hangs, please check the logs at `/tmp/gpcallback.log` for more information
# Hangs here

[m1dugh]

Turns out there is a bug running the gui with webkitgtk version 2.46.3+abi=4.0 which causes the application to crash. This is caused by webkitgtk lib only. To fix it, one needs to override the webkitgtk version to 2.44.3+abi=4.0 which is the current version in nixos-24.05 😞 .

[tomodachi94]

My suggestion would be to file an issue upstream, and go from there.

[Binary-Eater]

Yeah, I never felt comfortable with chucking the GUI into nixpkgs given it's proprietary, hard to patch, and dependent on webkitgtk (so it's built against a fixed version of it most likely and shipped). It seems like a huge maintenance cost. Even packages like protonmail-bridge strip their GUI components in nixpkgs.

[m1dugh]

The GUI still looks like a nice feature to have, especially since we are replacing the old version of the package which had the GUI I think 🤔 .

[Binary-Eater]

I would be ok with bringing back v1 which was fully open (so patching is an option) rather than trying to replace it with v2's GUI (where a paid license is required to use it anyways).

[Binary-Eater]

Just opened #355758

[m1dugh]

And some people might be willing to pay to use the GUI I guess, maybe, the right way is to bring back the v1 to life, i don't know.

[Binary-Eater]

Yeah, my issue is having a bunch of broken packages in nixpkgs. I think keeping v1's GUI workable is viable, but I do not feel comfortable about v2. The nice thing about nixos is it is trivial to include external packaging. I think nixpkgs at the very least should contain working packages that are not trivially susceptible to breaking on upgrades and do not need pinned dependencies.

[m1dugh]

That's a fair point

[Binary-Eater]

I can add you as a maintainer on the existing in-tree packages for v2 as well (I would actually really appreciate that if you do not mind).

[m1dugh]

That would be very nice.

[Binary-Eater]

Just opened #355768.

[jerith666]

This will conflict with both #355758 and #355768 when they merge, I believe. So I think it makes sense to let those merge first and then deal with the conflicts here, esp. since it sounds like there are still unresolved issues with webkitgtk here anyway, correct?

[m1dugh]

I guess we can just close this one now regarding @Binary-Eater comments on package being broken for gui.

[Binary-Eater]

We can in parallel explore reaching out to the upstream maintainer and revive this PR if we see enough interest. Does that seem reasonable as an action plan?

[jerith666]

That works for me.

[Binary-Eater]

Going to close this PR now that the other two have merged. We can revisit this later on if need be/desired.