Merge pull request #210078 from thiagokokada/dont-expose-resholve

resholve: mark it as knownVulnerabilities, allow resholve-utils usage

pkgs/development/interpreters/python/cpython/2.7/default.nix

@@ -35,7 +35,6 @@
 , stripConfig ? false
 , stripIdlelib ? false
 , stripTests ? false
-, stripLibs ? [ ]
 , pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}"
 }:
 
@@ -322,15 +321,7 @@ in with passthru; stdenv.mkDerivation ({
     '' + optionalString stripTests ''
       # Strip tests
       rm -R $out/lib/python*/test $out/lib/python*/**/test{,s}
-    '' + (concatStringsSep "\n"
-          (map
-            (lib:
-              ''
-                rm -vR $out/lib/python*/${lib}
-                # libraries in dynload (C libraries) may not exist,
-                # but when they exist they may be prefixed with _
-                rm -vfR $out/lib/python*/lib-dynload/{,_}${lib}
-              '') stripLibs));
+    '';
 
     enableParallelBuilding = true;
 

pkgs/development/misc/resholve/default.nix

@@ -5,17 +5,16 @@
 }:
 
 let
-  python27' = (pkgsBuildHost.python27.overrideAttrs (old:
-    {
-      # Overriding `meta.knownVulnerabilities` here, see #201859 for why it exists
-      # In resholve case this should not be a security issue,
-      # since it will only be used during build, not runtime
-      meta = (old.meta or { }) // { knownVulnerabilities = [ ]; };
-    }
-  )).override {
+  removeKnownVulnerabilities = pkg: pkg.overrideAttrs (old: {
+    meta = (old.meta or { }) // { knownVulnerabilities = [ ]; };
+  });
+  # We are removing `meta.knownVulnerabilities` from `python27`,
+  # and setting it in `resholve` itself.
+  python27' = (removeKnownVulnerabilities pkgsBuildHost.python27).override {
     self = python27';
     pkgsBuildHost = pkgsBuildHost // { python27 = python27'; };
     # strip down that python version as much as possible
+    openssl = null;
     bzip2 = null;
     readline = null;
     ncurses = null;
@@ -27,60 +26,6 @@ let
     stripConfig = true;
     stripIdlelib = true;
     stripTests = true;
-    stripLibs = [
-      # directories
-      "bsddb*"
-      "curses"
-      "compiler"
-      "ensurepip"
-      "hotshot"
-      "lib-tk"
-      "sqlite3"
-      # files
-      "aifc*"
-      "antigravity*"
-      "async*"
-      "*audio*"
-      "BaseHTTPServer*"
-      "Bastion*"
-      "binhex*"
-      "bdb*"
-      "CGIHTTPServer*"
-      "cgitb*"
-      "chunk*"
-      "colorsys*"
-      "dbhash*"
-      "dircache*"
-      "*dbm*"
-      "ftplib*"
-      "*hdr*"
-      "imaplib*"
-      "imputil*"
-      "MimeWriter*"
-      "mailbox*"
-      "mhlib*"
-      "mimify*"
-      "multifile*"
-      "netrc*"
-      "nntplib*"
-      "os2emxpath*"
-      "pyclbr*"
-      "pydoc*"
-      "SimpleHTTPServer*"
-      "sgmllib*"
-      "smtp*"
-      "ssl*"
-      "sun*"
-      "tabnanny*"
-      "telnetlib*"
-      "this*"
-      "wave*"
-      "webbrowser*"
-      "whichdb*"
-      "wsgiref*"
-      "xdrlib*"
-      "*XMLRPC*"
-    ];
     enableOptimizations = false;
   };
   callPackage = lib.callPackageWith (pkgs // { python27 = python27'; });
@@ -88,16 +33,22 @@ let
   deps = callPackage ./deps.nix { };
 in
 rec {
+  # not exposed in all-packages
+  resholveBuildTimeOnly = removeKnownVulnerabilities resholve;
   # resholve itself
   resholve = callPackage ./resholve.nix {
     inherit (source) rSrc version;
     inherit (deps.oil) oildev;
     inherit (deps) configargparse;
     inherit resholve-utils;
+    # used only in tests
+    resholve = resholveBuildTimeOnly;
   };
   # funcs to validate and phrase invocations of resholve
   # and use those invocations to build packages
   resholve-utils = callPackage ./resholve-utils.nix {
-    inherit resholve;
+    # we can still use resholve-utils without triggering a security warn
+    # this is safe since we will only use `resholve` at build time
+    resholve = resholveBuildTimeOnly;
   };
 }

pkgs/development/misc/resholve/resholve-utils.nix

@@ -181,6 +181,7 @@ rec {
       src = unresholved;
       inherit version pname;
       buildInputs = [ resholve ];
+      disallowedReferences = [ resholve ];
 
       # retain a reference to the base
       passthru = unresholved.passthru // {

pkgs/development/misc/resholve/resholve.nix

@@ -8,6 +8,7 @@
 , oildev
 , configargparse
 , binlore
+, resholve
 , resholve-utils
 }:
 
@@ -41,7 +42,7 @@ python27.pkgs.buildPythonApplication {
 
   passthru = {
     inherit (resholve-utils) mkDerivation phraseSolution writeScript writeScriptBin;
-    tests = callPackage ./test.nix { inherit rSrc binlore python27; };
+    tests = callPackage ./test.nix { inherit rSrc binlore python27 resholve; };
   };
 
   meta = with lib; {
@@ -50,5 +51,10 @@ python27.pkgs.buildPythonApplication {
     license = with licenses; [ mit ];
     maintainers = with maintainers; [ abathur ];
     platforms = platforms.all;
+    knownVulnerabilities = [ ''
+      resholve depends on python27 (EOL). While it's safe to
+      run on trusted input in the build sandbox, you should
+      avoid running it on untrusted input.
+    '' ];
   };
 }