From e13660c50c1f8e76158dff19602206a67806db04 Mon Sep 17 00:00:00 2001 From: Thiago Kenji Okada Date: Tue, 10 Jan 2023 18:06:09 +0000 Subject: [PATCH 1/5] resholve: remove openssl from python27 --- pkgs/development/misc/resholve/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/development/misc/resholve/default.nix b/pkgs/development/misc/resholve/default.nix index f2db31c351ad..b90a65c06ed1 100644 --- a/pkgs/development/misc/resholve/default.nix +++ b/pkgs/development/misc/resholve/default.nix @@ -16,6 +16,7 @@ let self = python27'; pkgsBuildHost = pkgsBuildHost // { python27 = python27'; }; # strip down that python version as much as possible + openssl = null; bzip2 = null; readline = null; ncurses = null; From c44e0571fccee3d2da453e106bf947f8db575273 Mon Sep 17 00:00:00 2001 From: Thiago Kenji Okada Date: Tue, 10 Jan 2023 18:21:04 +0000 Subject: [PATCH 2/5] resholve: mark it as knownVulnerabilities, allow resholve-utils usage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We are marking `resholve` itself with `meta.knownVulnerabilities`, and overriding `resholve-utils` functions's `resholve` with `meta.knownVulnerabilities = [ ]`. This way, we can still use `resholve` at build-time without triggering security warnings, however we can't instantiate `resholve` itself. See: ``` $ nix-build -A resholve error: Package ‘resholve-0.8.4’ in /.../nixpkgs/pkgs/development/misc/resholve/resholve.nix:48 is marked as insecure, refusing to evaluate. $ nix-build -A ix /nix/store/k8cvj1bfxkjj8zdg6kgm7r8942bbj7w7-ix-20190815 ``` For debugging purposes, you can still bypass the security checks and instantiate `resholve` by: ``` $ NIXPKGS_ALLOW_INSECURE=1 nix-build -A resholve /nix/store/77s87hhqymc6x9wpclb04zg5jwm6fsij-resholve-0.8.4 ``` --- pkgs/development/misc/resholve/default.nix | 18 +++++++++--------- pkgs/development/misc/resholve/resholve.nix | 5 +++++ 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/pkgs/development/misc/resholve/default.nix b/pkgs/development/misc/resholve/default.nix index b90a65c06ed1..fa1de609d6ac 100644 --- a/pkgs/development/misc/resholve/default.nix +++ b/pkgs/development/misc/resholve/default.nix @@ -5,14 +5,12 @@ }: let - python27' = (pkgsBuildHost.python27.overrideAttrs (old: - { - # Overriding `meta.knownVulnerabilities` here, see #201859 for why it exists - # In resholve case this should not be a security issue, - # since it will only be used during build, not runtime - meta = (old.meta or { }) // { knownVulnerabilities = [ ]; }; - } - )).override { + removeKnownVulnerabilities = pkg: pkg.overrideAttrs (old: { + meta = (old.meta or { }) // { knownVulnerabilities = [ ]; }; + }); + # We are removing `meta.knownVulnerabilities` from `python27`, + # and setting it in `resholve` itself. + python27' = (removeKnownVulnerabilities pkgsBuildHost.python27).override { self = python27'; pkgsBuildHost = pkgsBuildHost // { python27 = python27'; }; # strip down that python version as much as possible @@ -99,6 +97,8 @@ rec { # funcs to validate and phrase invocations of resholve # and use those invocations to build packages resholve-utils = callPackage ./resholve-utils.nix { - inherit resholve; + # we can still use resholve-utils without triggering a security warn + # this is safe since we will only use `resholve` at build time + resholve = removeKnownVulnerabilities resholve; }; } diff --git a/pkgs/development/misc/resholve/resholve.nix b/pkgs/development/misc/resholve/resholve.nix index d0ed5105ae4c..839d744be254 100644 --- a/pkgs/development/misc/resholve/resholve.nix +++ b/pkgs/development/misc/resholve/resholve.nix @@ -50,5 +50,10 @@ python27.pkgs.buildPythonApplication { license = with licenses; [ mit ]; maintainers = with maintainers; [ abathur ]; platforms = platforms.all; + knownVulnerabilities = [ '' + resholve depends on python27 (EOL). While it's safe to + run on trusted input in the build sandbox, you should + avoid running it on untrusted input. + '' ]; }; } From 66093a4120eb63e0ec2a7b5c14031920b7a3078d Mon Sep 17 00:00:00 2001 From: Thiago Kenji Okada Date: Tue, 10 Jan 2023 18:32:47 +0000 Subject: [PATCH 3/5] python27: remove stripLibs argument Since we are now guarantee that the `resholve` is not exposing `python27`, let's remove the `stripLibs` hack that tried to reduce its size. --- .../python/cpython/2.7/default.nix | 11 +--- pkgs/development/misc/resholve/default.nix | 54 ------------------- 2 files changed, 1 insertion(+), 64 deletions(-) diff --git a/pkgs/development/interpreters/python/cpython/2.7/default.nix b/pkgs/development/interpreters/python/cpython/2.7/default.nix index c3c0687d2cfc..cfcf487b4356 100644 --- a/pkgs/development/interpreters/python/cpython/2.7/default.nix +++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix @@ -35,7 +35,6 @@ , stripConfig ? false , stripIdlelib ? false , stripTests ? false -, stripLibs ? [ ] , pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}" }: @@ -322,15 +321,7 @@ in with passthru; stdenv.mkDerivation ({ '' + optionalString stripTests '' # Strip tests rm -R $out/lib/python*/test $out/lib/python*/**/test{,s} - '' + (concatStringsSep "\n" - (map - (lib: - '' - rm -vR $out/lib/python*/${lib} - # libraries in dynload (C libraries) may not exist, - # but when they exist they may be prefixed with _ - rm -vfR $out/lib/python*/lib-dynload/{,_}${lib} - '') stripLibs)); + ''; enableParallelBuilding = true; diff --git a/pkgs/development/misc/resholve/default.nix b/pkgs/development/misc/resholve/default.nix index fa1de609d6ac..4247d1ab21d7 100644 --- a/pkgs/development/misc/resholve/default.nix +++ b/pkgs/development/misc/resholve/default.nix @@ -26,60 +26,6 @@ let stripConfig = true; stripIdlelib = true; stripTests = true; - stripLibs = [ - # directories - "bsddb*" - "curses" - "compiler" - "ensurepip" - "hotshot" - "lib-tk" - "sqlite3" - # files - "aifc*" - "antigravity*" - "async*" - "*audio*" - "BaseHTTPServer*" - "Bastion*" - "binhex*" - "bdb*" - "CGIHTTPServer*" - "cgitb*" - "chunk*" - "colorsys*" - "dbhash*" - "dircache*" - "*dbm*" - "ftplib*" - "*hdr*" - "imaplib*" - "imputil*" - "MimeWriter*" - "mailbox*" - "mhlib*" - "mimify*" - "multifile*" - "netrc*" - "nntplib*" - "os2emxpath*" - "pyclbr*" - "pydoc*" - "SimpleHTTPServer*" - "sgmllib*" - "smtp*" - "ssl*" - "sun*" - "tabnanny*" - "telnetlib*" - "this*" - "wave*" - "webbrowser*" - "whichdb*" - "wsgiref*" - "xdrlib*" - "*XMLRPC*" - ]; enableOptimizations = false; }; callPackage = lib.callPackageWith (pkgs // { python27 = python27'; }); From 03ab899a453797d599d47391a9c2e5488076ec9e Mon Sep 17 00:00:00 2001 From: Thiago Kenji Okada Date: Tue, 10 Jan 2023 18:53:05 +0000 Subject: [PATCH 4/5] resholve-utils: set disallowedReferences for resholve.mkDerivation --- pkgs/development/misc/resholve/resholve-utils.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/development/misc/resholve/resholve-utils.nix b/pkgs/development/misc/resholve/resholve-utils.nix index 26bf492d23ab..d308f483458f 100644 --- a/pkgs/development/misc/resholve/resholve-utils.nix +++ b/pkgs/development/misc/resholve/resholve-utils.nix @@ -181,6 +181,7 @@ rec { src = unresholved; inherit version pname; buildInputs = [ resholve ]; + disallowedReferences = [ resholve ]; # retain a reference to the base passthru = unresholved.passthru // { From 1d77a869046c119ea50837ca1f94594b64985f77 Mon Sep 17 00:00:00 2001 From: Thiago Kenji Okada Date: Tue, 10 Jan 2023 21:50:29 +0000 Subject: [PATCH 5/5] resholve: fix CLI tests --- pkgs/development/misc/resholve/default.nix | 6 +++++- pkgs/development/misc/resholve/resholve.nix | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/pkgs/development/misc/resholve/default.nix b/pkgs/development/misc/resholve/default.nix index 4247d1ab21d7..74f45f8ed3cc 100644 --- a/pkgs/development/misc/resholve/default.nix +++ b/pkgs/development/misc/resholve/default.nix @@ -33,18 +33,22 @@ let deps = callPackage ./deps.nix { }; in rec { + # not exposed in all-packages + resholveBuildTimeOnly = removeKnownVulnerabilities resholve; # resholve itself resholve = callPackage ./resholve.nix { inherit (source) rSrc version; inherit (deps.oil) oildev; inherit (deps) configargparse; inherit resholve-utils; + # used only in tests + resholve = resholveBuildTimeOnly; }; # funcs to validate and phrase invocations of resholve # and use those invocations to build packages resholve-utils = callPackage ./resholve-utils.nix { # we can still use resholve-utils without triggering a security warn # this is safe since we will only use `resholve` at build time - resholve = removeKnownVulnerabilities resholve; + resholve = resholveBuildTimeOnly; }; } diff --git a/pkgs/development/misc/resholve/resholve.nix b/pkgs/development/misc/resholve/resholve.nix index 839d744be254..28a0e401cf5d 100644 --- a/pkgs/development/misc/resholve/resholve.nix +++ b/pkgs/development/misc/resholve/resholve.nix @@ -8,6 +8,7 @@ , oildev , configargparse , binlore +, resholve , resholve-utils }: @@ -41,7 +42,7 @@ python27.pkgs.buildPythonApplication { passthru = { inherit (resholve-utils) mkDerivation phraseSolution writeScript writeScriptBin; - tests = callPackage ./test.nix { inherit rSrc binlore python27; }; + tests = callPackage ./test.nix { inherit rSrc binlore python27 resholve; }; }; meta = with lib; {