weston-vnc: fix neatvnc overlay to use -Dtls=disabled instead of removing gnutls

2026-05-20 17:59:11 +02:00 · 2026-05-20 17:59:11 +02:00 · 3e5d430873
commit 3e5d430873
parent cddaacd12f
1 changed files with 18 additions and 11 deletions
--- a/nix/templates/weston-vnc.nix
+++ b/nix/templates/weston-vnc.nix
@ -57,21 +57,28 @@
  };

  config = lib.mkIf config.hyperhive.gui.enable {
-    # Build weston linked against a neatvnc without auth/crypto support.
-    # neatvnc ≥ 0.9 compiled with gnutls/nettle always advertises RSA-AES
-    # and Apple-DH security types (types 129, 5, 30) regardless of the
-    # weston.ini auth-method setting, causing the in-browser RFB client to
-    # fail with "auth failed" (it has no RSA key to complete the handshake).
-    # Removing gnutls + nettle from neatvnc's buildInputs disables the auth
-    # module at compile time, so nvnc_has_auth() returns false and weston
-    # skips nvnc_enable_auth() — neatvnc then advertises only type 1 (None).
+    # Build weston linked against a neatvnc without TLS/auth support.
+    # neatvnc ≥ 0.9 compiled with gnutls always advertises RSA-AES-256
+    # (type 129), RSA-AES (type 5), and Apple-DH (type 30) security types
+    # regardless of the weston.ini auth-method setting — because
+    # nvnc_has_auth() returns true at the C level, causing weston to call
+    # nvnc_enable_auth() unconditionally. The in-browser RFB client has no
+    # RSA key and cannot complete these handshakes.
+    #
+    # The fix: pass `-Dtls=disabled` to neatvnc's meson build (the option
+    # name from neatvnc's meson_options.txt that guards gnutls + the entire
+    # auth module). With TLS disabled, nvnc_has_auth() returns false, weston
+    # skips nvnc_enable_auth(), and neatvnc advertises only type 1 (None).
+    # gnutls stays in buildInputs so pkg-config resolution doesn't error;
+    # the meson flag overrides the feature to "disabled" at configure time.
    nixpkgs.overlays = [
      (_final: prev: {
        weston = prev.weston.override {
          neatvnc = prev.neatvnc.overrideAttrs (old: {
-            buildInputs = builtins.filter
-              (p: (p.pname or p.name or "") != "gnutls")
-              old.buildInputs;
+            mesonFlags = (old.mesonFlags or []) ++ [
+              "-Dtls=disabled"
+              "-Dnettle=disabled"
+            ];
          });
        };
      })