resholve: mark it as knownVulnerabilities, allow resholve-utils usage

We are marking `resholve` itself with `meta.knownVulnerabilities`, and overriding `resholve-utils` functions's `resholve` with `meta.knownVulnerabilities = [ ]`. This way, we can still use `resholve` at build-time without triggering security warnings, however we can't instantiate `resholve` itself. See: ``` $ nix-build -A resholve error: Package ‘resholve-0.8.4’ in /.../nixpkgs/pkgs/development/misc/resholve/resholve.nix:48 is marked as insecure, refusing to evaluate. $ nix-build -A ix /nix/store/k8cvj1bfxkjj8zdg6kgm7r8942bbj7w7-ix-20190815 ``` For debugging purposes, you can still bypass the security checks and instantiate `resholve` by: ``` $ NIXPKGS_ALLOW_INSECURE=1 nix-build -A resholve /nix/store/77s87hhqymc6x9wpclb04zg5jwm6fsij-resholve-0.8.4 ```
2023-01-10 18:21:04 +00:00 · 2023-01-10 18:21:04 +00:00 · c44e0571fc
parent e13660c50c
commit c44e0571fc
2 changed files with 14 additions and 9 deletions
--- a/pkgs/development/misc/resholve/default.nix
+++ b/pkgs/development/misc/resholve/default.nix
@ -5,14 +5,12 @@
 }:

 let
-  python27' = (pkgsBuildHost.python27.overrideAttrs (old:
-    {
-      # Overriding `meta.knownVulnerabilities` here, see #201859 for why it exists
-      # In resholve case this should not be a security issue,
-      # since it will only be used during build, not runtime
-      meta = (old.meta or { }) // { knownVulnerabilities = [ ]; };
-    }
-  )).override {
+  removeKnownVulnerabilities = pkg: pkg.overrideAttrs (old: {
+    meta = (old.meta or { }) // { knownVulnerabilities = [ ]; };
+  });
+  # We are removing `meta.knownVulnerabilities` from `python27`,
+  # and setting it in `resholve` itself.
+  python27' = (removeKnownVulnerabilities pkgsBuildHost.python27).override {
    self = python27';
    pkgsBuildHost = pkgsBuildHost // { python27 = python27'; };
    # strip down that python version as much as possible
@ -99,6 +97,8 @@ rec {
  # funcs to validate and phrase invocations of resholve
  # and use those invocations to build packages
  resholve-utils = callPackage ./resholve-utils.nix {
-    inherit resholve;
+    # we can still use resholve-utils without triggering a security warn
+    # this is safe since we will only use `resholve` at build time
+    resholve = removeKnownVulnerabilities resholve;
  };
 }
--- a/pkgs/development/misc/resholve/resholve.nix
+++ b/pkgs/development/misc/resholve/resholve.nix
@ -50,5 +50,10 @@ python27.pkgs.buildPythonApplication {
    license = with licenses; [ mit ];
    maintainers = with maintainers; [ abathur ];
    platforms = platforms.all;
+    knownVulnerabilities = [ ''
+      resholve depends on python27 (EOL). While it's safe to
+      run on trusted input in the build sandbox, you should
+      avoid running it on untrusted input.
+    '' ];
  };
 }