xdg-utils: cleanup

2024-02-11 23:57:50 +00:00 · 2024-02-11 23:57:50 +00:00 · bf53e3628a
commit bf53e3628a
parent d35f938806
1 changed files with 16 additions and 30 deletions
--- a/hosts/common/programs/xdg-utils.nix
+++ b/hosts/common/programs/xdg-utils.nix
@ -4,36 +4,22 @@
    # xdg-open may need to open things with elevated perms, like wireshark.
    # generally, the caller can be trusted to sandbox it.
    # if the caller is sandboxed, it will typically set NIXOS_XDG_OPEN_USE_PORTAL=1,
-    # and then xdg-open simply forwards the request to dbus.
+    # and then xdg-open simply forwards the request to dbus `org.freedesktop.portal.OpenURI` (i.e. xdg-desktop-portal).
+    #
+    # N.B.: `xdg-desktop-portal` seems to (inadvertently) only accept requests from applications which *don't* have elevated privileges.
+    # this will be true of nearly all sandboxed applications, but for those which it is not, `sandbox.method = "capshonly"` may be necessary
    sandbox.enable = false;
+
+    # alternative to letting the sandbox decide for itself: forcibly use the portal
+    #   if the mime association list is not visible/in scope.
+    # packageUnwrapped = pkgs.xdg-utils.overrideAttrs (base: {
+    #   postInstall = base.postInstall + ''
+    #     sed '2i\
+    #     if ! [ -e ~/.local/share/applications ]; then\
+    #       NIXOS_XDG_OPEN_USE_PORTAL=1\
+    #     fi\
+    #     ' -i "$out"/bin/*
+    #   '';
+    # });
  };
-
-  # sane.programs.xdg-utils = {
-  #   sandbox.method = "capshonly";
-  #   sandbox.wrapperType = "wrappedDerivation";
-  #   # xdg-utils portal interaction: for `xdg-open` to open a file whose handler may require files not in the current sandbox,
-  #   # we have to use a background service. that's achieved via `xdg-desktop-portal` and the org.freedesktop.portal.OpenURI dbus interface.
-  #   # so, this `xdg-open` should simply forward all requests to the portal, and the portal may re-invoke xdg-open without that redirection.
-  #   #   -- EXCEPT for if we're invoked by the portal itself.
-  #   #
-  #   # note that `xdg-desktop-portal` seems to (inadvertently) only accept requests from applications which *don't* have elevated privileges, hence xdg-open *has* to be sandboxed for this to work.
-  #   # env.NIXOS_XDG_OPEN_USE_PORTAL = "1";
-  #   packageUnwrapped = pkgs.xdg-utils.overrideAttrs (base: {
-  #     postInstall = base.postInstall + ''
-  #       sed '2i\
-  #       if ! [ -e ~/.local/share/applications ]; then\
-  #         NIXOS_XDG_OPEN_USE_PORTAL=1\
-  #       fi\
-  #       ' -i "$out"/bin/*
-  #     '';
-  #   });
-  # };
-
-  # ensure that any `xdg-open` invocations from within the portal don't recurse.
-  # N.B.: use `systemd.user.units...` instead of `systemd.user.services...` because the latter
-  # pollutes the PATH for this unit.
-  # systemd.user.units."xdg-desktop-portal.service".text = ''
-  #   [Service]
-  #   Environment="NIXOS_XDG_OPEN_USE_PORTAL="
-  # '';
 }