resholve: use stripped-down python27
This PR strips down the modified `python27` derivation used by `resholve`. The idea is to reduce the possible security issues, and also to make it easier to bootstrap.
This commit is contained in:
parent
01c02c84d3
commit
2e943fc060
2 changed files with 41 additions and 9 deletions
|
@ -31,6 +31,10 @@
|
|||
, rebuildBytecode ? true
|
||||
, reproducibleBuild ? false
|
||||
, enableOptimizations ? false
|
||||
, strip2to3 ? false
|
||||
, stripConfig ? false
|
||||
, stripIdlelib ? false
|
||||
, stripTests ? false
|
||||
, pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}"
|
||||
}:
|
||||
|
||||
|
@ -318,6 +322,16 @@ in with passthru; stdenv.mkDerivation ({
|
|||
postFixup = ''
|
||||
# Include a sitecustomize.py file. Note it causes an error when it's in postInstall with 2.7.
|
||||
cp ${../../sitecustomize.py} $out/${sitePackages}/sitecustomize.py
|
||||
'' + optionalString strip2to3 ''
|
||||
rm -R $out/bin/2to3 $out/lib/python*/lib2to3
|
||||
'' + optionalString stripConfig ''
|
||||
rm -R $out/bin/python*-config $out/lib/python*/config-*
|
||||
'' + optionalString stripIdlelib ''
|
||||
# Strip IDLE
|
||||
rm -R $out/bin/idle* $out/lib/python*/idlelib
|
||||
'' + optionalString stripTests ''
|
||||
# Strip tests
|
||||
rm -R $out/lib/python*/test $out/lib/python*/**/test{,s}
|
||||
'';
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
|
|
@ -1,19 +1,37 @@
|
|||
{ lib
|
||||
, stdenv
|
||||
, pkgs
|
||||
, pkgsBuildHost
|
||||
, ...
|
||||
}:
|
||||
|
||||
let
|
||||
pkgs = import ../../../.. {
|
||||
inherit (stdenv.hostPlatform) system;
|
||||
# Allow python27 with known security issues only for resholve,
|
||||
# see issue #201859 for the reasoning
|
||||
# In resholve case this should not be a security issue,
|
||||
# since it will only be used during build, not runtime
|
||||
config.permittedInsecurePackages = [ pkgsBuildHost.python27.name ];
|
||||
python27' = (pkgsBuildHost.python27.overrideAttrs (old:
|
||||
{
|
||||
# Overriding `meta.knownVulnerabilities` here, see #201859 for why it exists
|
||||
# In resholve case this should not be a security issue,
|
||||
# since it will only be used during build, not runtime
|
||||
meta = (old.meta or { }) // { knownVulnerabilities = [ ]; };
|
||||
}
|
||||
)).override {
|
||||
self = python27';
|
||||
pkgsBuildHost = pkgsBuildHost // { python27 = python27'; };
|
||||
# strip down that python version as much as possible
|
||||
openssl = null;
|
||||
bzip2 = null;
|
||||
readline = null;
|
||||
ncurses = null;
|
||||
gdbm = null;
|
||||
sqlite = null;
|
||||
libffi = null;
|
||||
rebuildBytecode = false;
|
||||
stripBytecode = true;
|
||||
strip2to3 = true;
|
||||
stripConfig = true;
|
||||
stripIdlelib = true;
|
||||
stripTests = true;
|
||||
enableOptimizations = false;
|
||||
};
|
||||
callPackage = lib.callPackageWith pkgs;
|
||||
callPackage = lib.callPackageWith (pkgs // { python27 = python27'; });
|
||||
source = callPackage ./source.nix { };
|
||||
deps = callPackage ./deps.nix { };
|
||||
in
|
||||
|
|
Loading…
Reference in a new issue