weechat-otr: Fix build and knownVulnerabilities

First, this closes #167972 by explicitly disabling Python tests for the backported pycrypto library. Those tests were written for Python 2 only. Furthermore, the meta.knownVulnerabilities attribute was added as the last weechat-otr upstream release was in 2018-03 [0] and the backported Debian package of pycrypto is from 2020-04 [1]. As there are no known vulnerabilities for weechat-otr itself, pycrypto "is unmaintained, obsolete, and contains security vulnerabilities" [2]. Even with Debian's patches, this is no good situation. As weechat-otr being a security and privacy related software, it should be made obvious, that its code base is old and unmaintained. [0] https://github.com/mmb/weechat-otr/releases/tag/v1.9.2 [1] https://salsa.debian.org/sramacher/python-crypto/-/tags/debian%2F2.6.1-13.1 [2] https://www.pycrypto.org/
2022-04-09 14:01:21 +02:00 · 2022-04-09 14:01:21 +02:00 · 22419c93cd
commit 22419c93cd
parent 2e8714c5fc
1 changed files with 7 additions and 0 deletions
--- a/pkgs/applications/networking/irc/weechat/scripts/weechat-otr/default.nix
+++ b/pkgs/applications/networking/irc/weechat/scripts/weechat-otr/default.nix
@ -24,6 +24,9 @@ let

    buildInputs = [ gmp ];

+    # Tests are relying on old Python 2 modules.
+    doCheck = false;
+
    preConfigure = ''
      sed -i 's,/usr/include,/no-such-dir,' configure
      sed -i "s!,'/usr/include/'!!" setup.py
@ -66,5 +69,9 @@ in stdenv.mkDerivation rec {
    license = licenses.gpl3;
    maintainers = with maintainers; [ oxzi ];
    description = "WeeChat script for Off-the-Record messaging";
+    knownVulnerabilities = [
+      "There is no upstream release since 2018-03."
+      "Utilizes deprecated and vulnerable pycrypto library with Debian patches from 2020-04."
+    ];
  };
 }