From 2e943fc060032e3b4e3dc028ba1acbe8f2446afd Mon Sep 17 00:00:00 2001 From: Thiago Kenji Okada Date: Mon, 12 Dec 2022 18:32:12 +0000 Subject: [PATCH] resholve: use stripped-down python27 This PR strips down the modified `python27` derivation used by `resholve`. The idea is to reduce the possible security issues, and also to make it easier to bootstrap. --- .../python/cpython/2.7/default.nix | 14 ++++++++ pkgs/development/misc/resholve/default.nix | 36 ++++++++++++++----- 2 files changed, 41 insertions(+), 9 deletions(-) diff --git a/pkgs/development/interpreters/python/cpython/2.7/default.nix b/pkgs/development/interpreters/python/cpython/2.7/default.nix index 684088186a0..31798a719ec 100644 --- a/pkgs/development/interpreters/python/cpython/2.7/default.nix +++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix @@ -31,6 +31,10 @@ , rebuildBytecode ? true , reproducibleBuild ? false , enableOptimizations ? false +, strip2to3 ? false +, stripConfig ? false +, stripIdlelib ? false +, stripTests ? false , pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}" }: @@ -318,6 +322,16 @@ in with passthru; stdenv.mkDerivation ({ postFixup = '' # Include a sitecustomize.py file. Note it causes an error when it's in postInstall with 2.7. cp ${../../sitecustomize.py} $out/${sitePackages}/sitecustomize.py + '' + optionalString strip2to3 '' + rm -R $out/bin/2to3 $out/lib/python*/lib2to3 + '' + optionalString stripConfig '' + rm -R $out/bin/python*-config $out/lib/python*/config-* + '' + optionalString stripIdlelib '' + # Strip IDLE + rm -R $out/bin/idle* $out/lib/python*/idlelib + '' + optionalString stripTests '' + # Strip tests + rm -R $out/lib/python*/test $out/lib/python*/**/test{,s} ''; enableParallelBuilding = true; diff --git a/pkgs/development/misc/resholve/default.nix b/pkgs/development/misc/resholve/default.nix index 34dd36a2124..df0573fd884 100644 --- a/pkgs/development/misc/resholve/default.nix +++ b/pkgs/development/misc/resholve/default.nix @@ -1,19 +1,37 @@ { lib -, stdenv +, pkgs , pkgsBuildHost , ... }: let - pkgs = import ../../../.. { - inherit (stdenv.hostPlatform) system; - # Allow python27 with known security issues only for resholve, - # see issue #201859 for the reasoning - # In resholve case this should not be a security issue, - # since it will only be used during build, not runtime - config.permittedInsecurePackages = [ pkgsBuildHost.python27.name ]; + python27' = (pkgsBuildHost.python27.overrideAttrs (old: + { + # Overriding `meta.knownVulnerabilities` here, see #201859 for why it exists + # In resholve case this should not be a security issue, + # since it will only be used during build, not runtime + meta = (old.meta or { }) // { knownVulnerabilities = [ ]; }; + } + )).override { + self = python27'; + pkgsBuildHost = pkgsBuildHost // { python27 = python27'; }; + # strip down that python version as much as possible + openssl = null; + bzip2 = null; + readline = null; + ncurses = null; + gdbm = null; + sqlite = null; + libffi = null; + rebuildBytecode = false; + stripBytecode = true; + strip2to3 = true; + stripConfig = true; + stripIdlelib = true; + stripTests = true; + enableOptimizations = false; }; - callPackage = lib.callPackageWith pkgs; + callPackage = lib.callPackageWith (pkgs // { python27 = python27'; }); source = callPackage ./source.nix { }; deps = callPackage ./deps.nix { }; in