Vula

[fricklerhandwerk]

With zero configuration, Vula automatically encrypts IP communication between hosts on a local area network in a forward-secret and transitionally post-quantum manner to protect against passive eavesdropping.

With manual key verification and/or automatic key pinning and manual resolution of IP or hostname conflicts, Vula will additionally protect against interception by active adversaries.

When the local gateway to the internet is also Vula peer, internet-destined traffic will also be encrypted on the LAN.

• Website: https://vula.link/
• source: https://codeberg.org/vula/vula
• installation instructions: https://codeberg.org/vula/vula/src/branch/main/INSTALL.md
• hacking instructions: https://codeberg.org/vula/vula/src/branch/main/HACKING.md

[ioerror]

Thanks for helping to package vula!

Last week we tagged a new vula release that could be packaged immediately. However we're also working on a major upgrade that will change a key dependency by replacing sibc with libhighctidh. It will be less work if whoever is packaging the software is able to wait until the next tag is ready.

We expect to have libhighctidh ready for release by the end of today and then a new release of vula should be tagged by the end of this week.

[lorenzleutgeb]

In my initial attempt I quickly found out that the dependencies "sibc" and "ggwave" appear to not be packaged in Nixpkgs. Since @ioerror commented that "sibc" might be replaced by another dependency in a newer version soon, I suggest to postpone further work until a version that does not depend on "sibc" is released.

See #97

[ioerror]

We'll need to package libhighctidh, and ggwave after we complete the transition from sibc. The ggwave dependency is a soft dependency for desktop or server vula deployments with sound hardware capabilities while the libhighctidh is a hard dependency that is required for basic operation in all cases.

[lorenzleutgeb]

Understood. I was about to ask about ggwave: A PEP 631 Optional Dependency or rather PEP 621 Optional Dependency would be nice 😸

[ioerror]

We'd prefer to only have packages that include ggwave but if it was a question of a package vs none, and later iterating towards a better package, a few dependencies could be made optional and the core software could still function. Examples that come to mind include pstray, ggwave, and anything with the GUI. For a headless server, only ggwave could even be used among those three but in that case it would need audio hardware.

For the next vula release tag, we'll look carefully at PEP 621/631 to see if anything could be made optional in addition to those three packages.

[lorenzleutgeb]

Sweet. I think none of the NGIpkgs contributors would object to packaging vula, even if it unconditionally depends on ggwave. It's more of a comment/wish than a requirement, really, so don't let it slow you down.

Nix does support having two flavours of the package (say, one for "headless" operation, that depends on ggwave, and one for "desktop" operation, that does not depend on ggwave) and most people like to keep things slim. Scenarios would be installing vula on a small home server, Raspberry Pi, etc.

[ioerror]

The new vula dependency highctidh that will soon replace sibc in vula has been tagged and released:
https://codeberg.org/vula/highctidh/releases/tag/v1.0.2023112000
https://pypi.org/project/highctidh/

[ioerror]

We have tagged and released new versions of vula and vula_libnss which should now be ready for packaging:

https://codeberg.org/vula/vula/releases/tag/v0.2.2023112400
https://codeberg.org/vula/vula_libnss/releases/tag/0.0.2023112400

[ioerror]

We have now tagged a new vula and a new highctidh release which greatly improves performance on x86_64/amd64 . It also addresses some bugs that ensure that clang or gcc may be used, glibc or musl may be used, and highctidh should additionally be functional on HardenedBSD:

https://codeberg.org/vula/vula/releases/tag/v0.2.2023112801
https://codeberg.org/vula/highctidh/releases/tag/v1.0.2023112802

The respective pypi releases are also now available:

https://pypi.org/project/vula/0.2.2023112801/
https://pypi.org/project/highctidh/1.0.2023112802/

The vula_libnss release does not need to be changed and is still valid:

https://codeberg.org/vula/vula_libnss/releases/tag/0.0.2023112400
https://pypi.org/project/vula-libnss/0.0.2023112400/

These should be suitable for testing and packaging.

[lorenzleutgeb]

@fricklerhandwerk I packaged highctidh and bumped vula to a version that uses it. These changes are at #97. The PR is still in draft because I'd like to add a NixOS module (based on the systemd unit files that come with Vula) and a NixOS test.

[lorenzleutgeb]

@fricklerhandwerk I improved the vula package to patch upstream systemd configuration files so that they can be consumed via systemd.packages and added a module that does this. The NixOS test that consumes the module however still gives some trouble: I can't start Vula because of DBus errors.

Investigating...

systemd[1]: vula-discover.service: Scheduled restart job, restart counter is at 16.
systemd[1]: Starting vula service discovery daemon...
vula[1106]: Traceback (most recent call last):
vula[1106]:   File "/nix/store/…-vula-0.2.2023112801/bin/.vula-wrapped", line 9, in 
vula[1106]:     sys.exit(main())
vula[1106]:              ^^^^^^
vula[1106]:   File "/nix/store/…-python3.11-click-8.1.7/lib/python3.11/site-packages/click/core.py", line 1157, in __call__
vula[1106]:     return self.main(*args, **kwargs)
vula[1106]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^
vula[1106]:   File "/nix/store/…-python3.11-click-8.1.7/lib/python3.11/site-packages/click/core.py", line 1078, in main
vula[1106]:     rv = self.invoke(ctx)
vula[1106]:          ^^^^^^^^^^^^^^^^
vula[1106]:   File "/nix/store/…-vula-0.2.2023112801/lib/python3.11/site-packages/vula/notclick.py", line 124, in invoke
vula[1106]:     raise ex
vula[1106]:   File "/nix/store/…-vula-0.2.2023112801/lib/python3.11/site-packages/vula/notclick.py", line 103, in invoke
vula[1106]:     return super(Debuggable, self).invoke(ctx)
vula[1106]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
vula[1106]:   File "/nix/store/…-python3.11-click-8.1.7/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
vula[1106]:     return _process_result(sub_ctx.command.invoke(sub_ctx))
vula[1106]:                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
vula[1106]:   File "/nix/store/…-python3.11-click-8.1.7/lib/python3.11/site-packages/click/core.py", line 1434, in invoke
vula[1106]:     return ctx.invoke(self.callback, **ctx.params)
vula[1106]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
vula[1106]:   File "/nix/store/…-python3.11-click-8.1.7/lib/python3.11/site-packages/click/core.py", line 783, in invoke
vula[1106]:     return __callback(*args, **kwargs)
vula[1106]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^
vula[1106]:   File "/nix/store/…-vula-0.2.2023112801/lib/python3.11/site-packages/vula/discover.py", line 232, in main
vula[1106]:     Discover.daemon(**kwargs)
vula[1106]:   File "/nix/store/…-vula-0.2.2023112801/lib/python3.11/site-packages/vula/discover.py", line 186, in daemon
vula[1106]:     process = system_bus.get(
vula[1106]:               ^^^^^^^^^^^^^^^
vula[1106]:   File "/nix/store/…-python3.11-pydbus-0.6.0/lib/python3.11/site-packages/pydbus/proxy.py", line 44, in get
vula[1106]:     ret = self.con.call_sync(
vula[1106]:           ^^^^^^^^^^^^^^^^^^^
vula[1106]: gi.repository.GLib.GError: g-dbus-error-quark: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name local.vula.organize was not provided by any .service files (2)
systemd[1]: vula-discover.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: vula-discover.service: Failed with result 'exit-code'.
systemd[1]: Failed to start vula service discovery daemon.
systemd[1]: Starting vula organize service...

vula[1120]: 2023-12-22-12:23:32: Keys file not found

vula[1120]: 2023-12-22-12:23:32: Generating keys...

wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.

wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld Jason@zx2c4.com. All Rights Reserved.

vula[1120]: 2023-12-22-12:23:32: Couldn't load state file: FileNotFoundError(2, 'No such file or directory')

vula[1120]: Traceback (most recent call last):

vula[1120]:   File "/nix/store/…-vula-0.2.2023112801/bin/.vula-wrapped", line 9, in 

vula[1120]:     sys.exit(main())

vula[1120]:              ^^^^^^

vula[1120]:   File "/nix/store/…-python3.11-click-8.1.7/lib/python3.11/site-packages/click/core.py", line 1157, in call

vula[1120]:     return self.main(*args, **kwargs)

vula[1120]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^

vula[1120]:   File "/nix/store/…-python3.11-click-8.1.7/lib/python3.11/site-packages/click/core.py", line 1078, in main

vula[1120]:     rv = self.invoke(ctx)

vula[1120]:          ^^^^^^^^^^^^^^^^

vula[1120]:   File "/nix/store/…-vula-0.2.2023112801/lib/python3.11/site-packages/vula/notclick.py", line 124, in invoke

vula[1120]:     raise ex

vula[1120]:   File "/nix/store/…-vula-0.2.2023112801/lib/python3.11/site-packages/vula/notclick.py", line 103, in invoke

vula[1120]:     return super(Debuggable, self).invoke(ctx)

vula[1120]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

vula[1120]:   File "/nix/store/…-python3.11-click-8.1.7/lib/python3.11/site-packages/click/core.py", line 1688, in invoke

vula[1120]:     return _process_result(sub_ctx.command.invoke(sub_ctx))

vula[1120]:                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

vula[1120]:   File "/nix/store/…-python3.11-click-8.1.7/lib/python3.11/site-packages/click/core.py", line 1666, in invoke

vula[1120]:     rv = super().invoke(ctx)

vula[1120]:          ^^^^^^^^^^^^^^^^^^^

vula[1120]:   File "/nix/store/…-python3.11-click-8.1.7/lib/python3.11/site-packages/click/core.py", line 1434, in invoke

vula[1120]:     return ctx.invoke(self.callback, **ctx.params)

vula[1120]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

vula[1120]:   File "/nix/store/…-python3.11-click-8.1.7/lib/python3.11/site-packages/click/core.py", line 783, in invoke

vula[1120]:     return __callback(*args, **kwargs)

vula[1120]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^

vula[1120]:   File "/nix/store/…-python3.11-click-8.1.7/lib/python3.11/site-packages/click/decorators.py", line 33, in new_func

vula[1120]:     return f(get_current_context(), *args, **kwargs)

vula[1120]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

vula[1120]:   File "/nix/store/…-vula-0.2.2023112801/lib/python3.11/site-packages/vula/notclick.py", line 203, in wrapper

vula[1120]:     instance = callback(*a, **kw)

vula[1120]:                ^^^^^^^^^^^^^^^^^^

vula[1120]:   File "/nix/store/…-python3.11-click-8.1.7/lib/python3.11/site-packages/click/decorators.py", line 33, in new_func

vula[1120]:     return f(get_current_context(), *args, **kwargs)

vula[1120]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

vula[1120]:   File "/nix/store/…-vula-0.2.2023112801/lib/python3.11/site-packages/vula/organize.py", line 577, in init

vula[1120]:     self.run(monolithic=False)

vula[1120]:   File "/nix/store/…-vula-0.2.2023112801/lib/python3.11/site-packages/vula/organize.py", line 795, in run

vula[1120]:     system_bus.publish(_ORGANIZE_DBUS_NAME, self)

vula[1120]:   File "/nix/store/…-python3.11-pydbus-0.6.0/lib/python3.11/site-packages/pydbus/publication.py", line 42, in publish

vula[1120]:     return Publication(self, bus_name, *objects)

vula[1120]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

vula[1120]:   File "/nix/store/…-python3.11-pydbus-0.6.0/lib/python3.11/site-packages/pydbus/publication.py", line 35, in init

vula[1120]:     self._at_exit(bus.request_name(bus_name, allow_replacement=allow_replacement, replace=replace).exit)

vula[1120]:                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

vula[1120]:   File "/nix/store/…-python3.11-pydbus-0.6.0/lib/python3.11/site-packages/pydbus/request_name.py", line 29, in request_name

vula[1120]:     return NameOwner(self, name, allow_replacement, replace)

vula[1120]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

vula[1120]:   File "/nix/store/…-python3.11-pydbus-0.6.0/lib/python3.11/site-packages/pydbus/request_name.py", line 8, in init

vula[1120]:     res = bus.dbus.RequestName(name, flags)

vula[1120]:           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

vula[1120]:   File "/nix/store/…-python3.11-pydbus-0.6.0/lib/python3.11/site-packages/pydbus/proxy_method.py", line 72, in call

vula[1120]:     ret = instance._bus.con.call_sync(

vula[1120]:           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

vula[1120]: gi.repository.GLib.GError: g-dbus-error-quark: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Connection ":1.24" is not allowed to own the service "local.vula.organize" due to security policies in the configuration file (9)

systemd[1]: vula-organize.service: Main process exited, code=exited, status=1/FAILURE

systemd[1]: vula-organize.service: Failed with result 'exit-code'.

systemd[1]: Failed to start vula organize service.

[fricklerhandwerk]

@lorenzleutgeb is this closed by #97?

[lorenzleutgeb]

No, see #97 (comment)

[ioerror]

@lorenzleutgeb Are the patches to systemd service files something that we should consider for merging upstream?

[lorenzleutgeb]

@ioerror The patches we do apply so far are quite "mild" and mostly related to NixOS. But I'll keep in mind to notify you in case we have something to upstream. Just for reference:

• Exec=/bin/false is not compatible with NixOS since there's no /bin/false, we refer to coreutils in the Nix store explicitly.
• ExecStart=vula relies on vula being in $PATH, again we use the Nix store to refer to the particular version of vula in the store, that is currently being built.

[fricklerhandwerk]

@ngi-nix/magic filed an issue upstream: https://codeberg.org/vula/vula/issues/49

[A-jay98]

We, the maintenance mobs Magic and Cake have been working on this.
We found the existing package not only have the issue reported above, but several more. Among them

• The NixOS test file has no assertions.
• The package contains no executable (no $out/bin).
• The systemd services were not placed in the correct output path.
• An extraneous systemd unit file (monolithic).
• A required NSS module is missing from the service.
• Upstream tests are not running in the checkPhase.
• Systemd and dbus services are missing from the NixOS module.
• An upstream issue has been identified and reported: https://codeberg.org/vula/vula/issues/49
• Some dependencies are missing.
• Service discovery is not configured in the NixOS module.

Most of the above issues have been resolved. Here is a snapshot of the known remaining tasks:

• Write NixOS tests.
• Work with upstream to resolve issue.
• Add more options to the module.
• Clean up.

[lorenzleutgeb]

@A-jay98 it's good that you are improving on the current state. Thanks!

• The systemd services were not placed in the correct output path.

Please elaborate. I believe that you are mistaken, see ad2e9a5#r142089207

• Systemd and dbus services are missing from the NixOS module.

What makes you think that? There is no explicit configuration, but they are loaded directly from the configuration provided by upstream, which you can then customize/override using systemd.services.

Upstream files are registered here:

ngipkgs/projects/Vula/service.nix

Line 73 in 17c5cb6

systemd.packages = [cfg.package];

You might have broken this mechanism, see (again) ad2e9a5#r142089207

[ioerror]

The highctidh package produced today during the group development session seems useful to merge independently.

[sarcasticadmin]

Wanted to update the team regarding where @GetPsyched and I left things today while wrapping up pairing with @ioerror:

Running the vula nixosTest:

$ nix build .#hydraJobs.tests.x86_64-linux.nixos.Vula.vula.driverInteractive -L
$ ./result/bin/nixos-test-driver
...
>>> start_all()
...
>>> run_tests()
...

Resulted in output from vula regarding an invalid descriptor:

...
a # [   54.231369] vula[797]: 2024-05-16-15:00:24: discover dropped invalid descriptor: {'r': '', 'pk': b'Zv9xR32f0FArb6wTLPcfHus/vQcrX3/fv9uRfMfbAhM=', 'c': b'qopkW/9Ih6KSNPrLJqIfcly5MwNqXYSA129Sr7BIbVqvfECJQwXHckXfL1Uq+3Sioh1maOypOZGrp71LRWJNYg==', 'addrs': b'192.168.1.1', 'vk': b'NVx3TrxYuuuytO0Ptc9wXK0bh9j54CAts3KDAkpJTl4=', 'vf': b'1715871624', 'dt': b'86400', 'port': b'5354', 'hostname': b'a.local.', 'e': b'False', 's': b'ZlcV8uUl5ItRanpKNYkI5SHx2xa9eI9OzwclFfObEm8AcrChuKwxLYyiTM92gxAgAm4cgL0GjhD54OpWUueXDg=='} (SchemaError("b'Zv9xR32f0FArb6wTLPcfHus/vQcrX3/fv9uRfMfbAhM=' is not 32 bytes or a 44-char base64 string which decodes to 32 bytes"))
...

Even though checking the SchemaError value of pk seems valid and is able to be decoded:

$ python3
Python 3.11.9 (main, Apr  2 2024, 08:25:04) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> z = 'Zv9xR32f0FArb6wTLPcfHus/vQcrX3/fv9uRfMfbAhM='
>>> len(z)
44
>>> import base64
>>> base64.b64.decode(z)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AttributeError: module 'base64' has no attribute 'b64'
>>> base64.b64decode(z)
b'f\xffqG}\x9f\xd0P+o\xac\x13,\xf7\x1f\x1e\xeb?\xbd\x07+_\x7f\xdf\xbf\xdb\x91|\xc7\xdb\x02\x13'
>>> len(base64.b64decode(z))
32

There were concerns around the python schema package version differences but the version of nixpkgs and vula are the same version 0.7.5: https://github.com/NixOS/nixpkgs/blob/ee4a6e0f566fe5ec79968c57a9c2c3c25f2cf41d/pkgs/development/python-modules/schema/default.nix#L12 and https://codeberg.org/vula/vula/src/branch/main/Pipfile.lock#L339-L345

We turned to enabling the full unittest suite of vula by passing pytest --doctest-modules. This was in hopes that a similar error would with the descriptor would be raised during the tests. The result was 1 test failure across the full test suite:

$ nix build .#vula -L
...
vula-unstable-> =================================== FAILURES ===================================
vula-unstable-> _________ TestWireGuardServiceListener.test_add_service_calls_callback _________
vula-unstable-> self = <test.test_discover.TestWireGuardServiceListener object at 0x7ffff28dbbd0>
vula-unstable->     def test_add_service_calls_callback(self):
vula-unstable->         callback = MagicMock()
vula-unstable->         props = {
vula-unstable->             b'addrs': b'192.168.2.1',
vula-unstable->             b'pk': b'EqcQ5gYxzGtzg7B4xi83kLyfuSMp8Kv3cmAJMs12nDM=',
vula-unstable->             b'c': b'T6htsKgwCp5MAXjPiWxtVkccg+K2CePsVa7uyUgxE2ouYxKXg2qNL+'
vula-unstable->             + b'0ut3sSVTYjzFGZSCO6n80SRaR+BIeOCg==',
vula-unstable->             b'hostname': b'myhost',
vula-unstable->             b'port': b'5054',
vula-unstable->             b'vk': b'EqcQ5gYxzGtzg7B4xi83kLyfuSMp8Kv3cmAJMs12nDM=',
vula-unstable->             b'dt': b'34',
vula-unstable->             b'vf': b'42',
vula-unstable->             b'r': b'192.168.2.0/24',
vula-unstable->             b'e': b'1',
vula-unstable->         }
vula-unstable->         zeroconf = MagicMock()
vula-unstable->         zeroconf.get_service_info().properties = props
vula-unstable->         listener = vula.discover.WireGuardServiceListener(callback)
vula-unstable->         listener.add_service(zeroconf, "test_type", "test_name")
vula-unstable-> >       callback.assert_called_once()
vula-unstable-> test/test_discover.py:34:
vula-unstable-> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
vula-unstable-> self = <MagicMock id='140737259795984'>
vula-unstable->     def assert_called_once(self):
vula-unstable->         """assert that the mock was called only once.
vula-unstable->         """
vula-unstable->         if not self.call_count == 1:
vula-unstable->             msg = ("Expected '%s' to have been called once. Called %s times.%s"
vula-unstable->                    % (self._mock_name or 'mock',
vula-unstable->                       self.call_count,
vula-unstable->                       self._calls_repr()))
vula-unstable-> >           raise AssertionError(msg)
vula-unstable-> E           AssertionError: Expected 'mock' to have been called once. Called 0 times.
vula-unstable-> /nix/store/lpi16513bai8kg2bd841745vzk72475x-python3-3.11.9/lib/python3.11/unittest/mock.py:918: AssertionError
vula-unstable-> =========================== short test summary info ============================
vula-unstable-> FAILED test/test_discover.py::TestWireGuardServiceListener::test_add_service_calls_callback - AssertionError: Expected 'mock' to have been called once. Called 0 times.
vula-unstable-> ======================== 1 failed, 105 passed in 1.54s =========================
vula-unstable-> /nix/store/558iw5j1bk7z6wrg8cp96q2rx03jqj1v-stdenv-linux/setup: line 1579: pop_var_context: head of shell_variables not a function context
error: builder for '/nix/store/aaj74i50m18vx9774vr317w81dgd3rks-vula-unstable-.drv' failed with exit code 1;
       last 10 log lines:
       >                       self.call_count,
       >                       self._calls_repr()))
       > >           raise AssertionError(msg)
       > E           AssertionError: Expected 'mock' to have been called once. Called 0 times.
       >
       > /nix/store/lpi16513bai8kg2bd841745vzk72475x-python3-3.11.9/lib/python3.11/unittest/mock.py:918: AssertionError
       > =========================== short test summary info ============================
       > FAILED test/test_discover.py::TestWireGuardServiceListener::test_add_service_calls_callback - AssertionError: Expected 'mock' to have been called once. Called 0 times.
       > ======================== 1 failed, 105 passed in 1.54s =========================
       > /nix/store/558iw5j1bk7z6wrg8cp96q2rx03jqj1v-stdenv-linux/setup: line 1579: pop_var_context: head of shell_variables not a function context
       For full logs, run 'nix log /nix/store/aaj74i50m18vx9774vr317w81dgd3rks-vula-unstable-.drv'.

In TestWireGuardServiceListener.test_add_service_calls_callback the following lines in this test are suspicious since there doesn't seem to be an actual callback and causes the assertion to fail:

listener = vula.discover.WireGuardServiceListener(callback)
listener.add_service(zeroconf, "test_type", "test_name")

@ioerror here is the command that I was running from https://github.com/ngi-nix/ngipkgs/tree/mob/vula-test branch to build the vula package and run the tests:

$ nix build .#vula -L 

Additional Note: after installing nix make sure to enable flakes since they are needed to use this ngi repo but are experimental:

$ echo "experimental-features = nix-command flakes" > ./nix.conf && install -D ./nix.conf $HOME/.config/nix/nix.conf

[sarcasticadmin]

Also here is a way to get the versions of the dependencies that we are using for vula:

$ nix repl
nix-repl> :lf .
Added 20 variables.

nix-repl> lib = inputs.nixpkgs.lib
nix-repl> versions = contents: lib.lists.naturalSort (lib.lists.forEach contents (x: lib.strings.getName x + ":" + lib.strings.getVersion x))

nix-repl> versions outputs.packages.x86_64-linux.vula.propagatedBuildInputs

[ "click:8.1.7" "cryptography:42.0.5" "highctidh:1.0.2024050500" "hkdf:0.0.3" "packaging:24.0" "pillow:10.3.0" "pyaudio:0.2.14" "pydbus:0.6.0" "pygobject:3.48.2" "pynacl:1.5.0" "pyroute2:0.7.12" "pystray:0.19.2" "python3:3.11.9" "pyyaml:6.0.1" "qrcode:7.4.2" "schema:0.7.5" "setuptools:69.5.1" "tkinter:3.11.9" "zeroconf:0.132.2" ]

[adfaure]

I believe the patch is the culprit for the error there; it misses restoring the original intend, which was to decode the v variable.

Using v.decode() fixes the test.

diff --git a/vula/discover.py b/vula/discover.py
index 08235d9..3fe41f7 100644
--- a/vula/discover.py
+++ b/vula/discover.py
@@ -68,7 +68,10 @@ class WireGuardServiceListener(ServiceListener):
         info: Optional[ServiceInfo] = zeroconf.get_service_info(s_type, name)
         if info is None:
             return
-        data = {k.decode(): v.decode() for k, v in info.properties.items()}
+
+        data = dict()
+        for k, v in info.properties.items():
+            data[k.decode()] = v.decode() if v is not None else ''
 
         try:
             desc = Descriptor(data)

With the new patch (which is still needed btw) I have peers running during an interactive shell

>>> print(a.execute("vula peer")[1])
a # [   67.434526] dbus-daemon[545]: [system] Would reject message, 5 matched rules; type="method_call", sender=":1.12" (uid=0 pid=922 comm="/nix/store/lpi16513bai8kg2bd841745vzk72475x-python" label="kernel") interface="org.freedesktop.DBus.Introspectable" member="Introspect" error name="(unset)" requested_reply="0" destination="local.vula.organize" (uid=992 pid=691 comm="/nix/store/lpi16513bai8kg2bd841745vzk72475x-python" label="kernel")
a # [   67.453742] vula[691]: 2024-05-16-21:22:57: Fetching interface info for vula
peer: b.local.
  id: 2ViD9GZbIPiqrUCPFDPP6QMt71L100c7XH9r9+S6C+k=
  status: enabled unpinned unverified
  endpoint: 192.168.1.2:5354
  allowed ips: 192.168.1.2/32
  latest signature: 0:00:37 ago
  latest handshake: none
  wg pubkey: Z++mfEerJN03vxe1O0dBIxQ+vGxi6M0hEV6do2Tscyk=

>>> print(b.execute("vula peer")[1])
b # [   71.101350] dbus-daemon[547]: [system] Would reject message, 5 matched rules; type="method_call", sender=":1.11" (uid=0 pid=914 comm="/nix/store/lpi16513bai8kg2bd841745vzk72475x-python" label="kernel") interface="org.freedesktop.DBus.Introspectable" member="Introspect" error name="(unset)" requested_reply="0" destination="local.vula.organize" (uid=992 pid=693 comm="/nix/store/lpi16513bai8kg2bd841745vzk72475x-python" label="kernel")
b # [   71.119133] vula[693]: 2024-05-16-21:23:02: Fetching interface info for vula
peer: a.local.
  id: nMZq/EXQQoOnPX4QgOfS6sINj8rEUzYpgAAZoESawro=
  status: enabled unpinned unverified
  endpoint: 192.168.1.1:5354
  allowed ips: 10.0.2.15/32, 192.168.1.1/32
  latest signature: 0:00:43 ago
  latest handshake: none
  wg pubkey: CiBc9pEWpvE/6XXZwH+0Rb7RqYD9frn5QBk2GrL5NE8=

[ioerror]

@adfaure Would you open a pull request on vula for that fix?

[ioerror]

Looking at https://github.com/python-zeroconf/python-zeroconf/blob/9d8dd27c75768663319c0ee610ba9d274799e32c/src/zeroconf/_services/info.py#L271 - Returning None is intentional, especially if we look at the internal mutation functions.

[ioerror]

We designed our Descriptor schema validation to fail closed and the consequence of this malformed key, value pair is that it invalidates the entire vula descriptor. This invalidation ensures that vula discover does not pass the descriptor to vula organize, and vula as a whole does not add the descriptor to the list of vula peers. We have a minimal reproducer for the bug and we are tracking this in https://codeberg.org/vula/vula/issues/50 on codeberg.

[adfaure]

Hi @ioerror, it looks like the issue is deeper than the patch.

Do you still need my pull request ?

[ioerror]

Hi @ioerror, it looks like the issue is deeper than the patch.

Do you still need my pull request ?

We would be happy to review a pull request, and we will also work on solving the other issues in parallel.

[ioerror]

I attempted to follow the instructions to reproduce this and was surprised that installing nix failed with the linked instructions when using a POWER9 machine (ppc64le):

user@power9:~$ sh <(curl -L https://nixos.org/nix/install) --no-daemon
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  4052  100  4052    0     0  13854      0 --:--:-- --:--:-- --:--:-- 13854
/dev/fd/63: sorry, there is no binary distribution of Nix for your platform

[ioerror]

Hi @ioerror, it looks like the issue is deeper than the patch.

Do you still need my pull request ?

We have now solved the issue (using nix on x86_64). We have confirmed that the fix works in nix if the pkgs/by-name/vula/patch is identical to the changes made in the fix that we added to vula's main branch. The package itself should no longer need to carry any patches at all and all unit tests should now pass in the nix environment. The vula nix package will need to be updated to git tip.

We will release a new version of vula. In our release commit, we would like to credit everyone here for their help in finding this bug and for helping create a nix package for vula. Please let us know if you would like to be credited.

Is there a standard way for the CI (e.g.: GHA or gitlab) to test building the nix vula package with an updated vula as we continue to improve vula? We would be happy to run such a test to ensure that vula is always ready for inclusion into an updated nix package.

We would also be interested to include documentation to encourage people to consider using vula with nix once we have analyzed the properties of the nix environment.

[sarcasticadmin]

The vula nix package will need to be updated to git tip.

Confirming that vula now builds and pass all the test against the latest commit https://codeberg.org/vula/vula/commit/b82933c2d45496afb91727e7ce3dff61ae262473:

vula-unstable-> ============================= 107 passed in 1.42s ==============================
vula-unstable-> Finished executing pytestCheckPhase
vula-unstable-> Running phase: pytestcachePhase
vula-unstable-> Running phase: pytestRemoveBytecodePhase

We will release a new version of vula. In our release commit, we would like to credit everyone here for their help in finding this bug and for helping create a nix package for vula. Please let us know if you would like to be credited.

Fantastic @ioerror ! I'd be happy to be included.

Is there a standard way for the CI (e.g.: GHA or gitlab) to test building the nix vula package with an updated vula as we continue to improve vula? We would be happy to run such a test to ensure that vula is always ready for inclusion into an updated nix package.

Definitely doable. I think the easiest way to do this would be to refer to the vula pkg from ngipkgs (once its merged) then override the source to be the updated vula sources instead of a specific version. Happy to discuss other ideas with the wider team.

[adfaure]

@A-jay98 it's good that you are improving on the current state. Thanks!

• The systemd services were not placed in the correct output path.

Please elaborate. I believe that you are mistaken, see ad2e9a5#r142089207

Thank you, we don't remember why we thought that /lib was wrong. We reverted to lib (which is the documented way).

• Systemd and dbus services are missing from the NixOS module.

What makes you think that? There is no explicit configuration, but they are loaded directly from the configuration provided by upstream, which you can then customize/override using systemd.services.

Upstream files are registered here:

ngipkgs/projects/Vula/service.nix

Line 73 in 17c5cb6

systemd.packages = [cfg.package];

You might have broken this mechanism, see (again) ad2e9a5#r142089207

Sorry, what we meant is that they are not configured to start. That was resolved (in mob/vula-test) by a wantedBy.

[mightyiam]

@ioerror mentioning us and possibly our sponsors and the NixOS Foundation would be appreciated, but perhaps after the package is released? We will let you know when that happens. And then we'd also help you integrate testing this package into your CI.

[ioerror]

@ioerror mentioning us and possibly our sponsors and the NixOS Foundation would be appreciated, but perhaps after the package is released? We will let you know when that happens. And then we'd also help you integrate testing this package into your CI.

Yes, please do let us know. We'd be happy to do that in both projects (vula and highctidh) at the very minimum. Thank you again for all of your work on these packages, and thank you for taking the time to include us in your working process.