resholve: use stripped-down python27

This PR strips down the modified `python27` derivation used by `resholve`. The
idea is to reduce the possible security issues, and also to make it easier to
bootstrap.
This commit is contained in:
Thiago Kenji Okada 2022-12-12 18:32:12 +00:00
parent 01c02c84d3
commit 2e943fc060
2 changed files with 41 additions and 9 deletions

View file

@ -31,6 +31,10 @@
, rebuildBytecode ? true
, reproducibleBuild ? false
, enableOptimizations ? false
, strip2to3 ? false
, stripConfig ? false
, stripIdlelib ? false
, stripTests ? false
, pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}"
}:
@ -318,6 +322,16 @@ in with passthru; stdenv.mkDerivation ({
postFixup = ''
# Include a sitecustomize.py file. Note it causes an error when it's in postInstall with 2.7.
cp ${../../sitecustomize.py} $out/${sitePackages}/sitecustomize.py
'' + optionalString strip2to3 ''
rm -R $out/bin/2to3 $out/lib/python*/lib2to3
'' + optionalString stripConfig ''
rm -R $out/bin/python*-config $out/lib/python*/config-*
'' + optionalString stripIdlelib ''
# Strip IDLE
rm -R $out/bin/idle* $out/lib/python*/idlelib
'' + optionalString stripTests ''
# Strip tests
rm -R $out/lib/python*/test $out/lib/python*/**/test{,s}
'';
enableParallelBuilding = true;

View file

@ -1,19 +1,37 @@
{ lib
, stdenv
, pkgs
, pkgsBuildHost
, ...
}:
let
pkgs = import ../../../.. {
inherit (stdenv.hostPlatform) system;
# Allow python27 with known security issues only for resholve,
# see issue #201859 for the reasoning
python27' = (pkgsBuildHost.python27.overrideAttrs (old:
{
# Overriding `meta.knownVulnerabilities` here, see #201859 for why it exists
# In resholve case this should not be a security issue,
# since it will only be used during build, not runtime
config.permittedInsecurePackages = [ pkgsBuildHost.python27.name ];
meta = (old.meta or { }) // { knownVulnerabilities = [ ]; };
}
)).override {
self = python27';
pkgsBuildHost = pkgsBuildHost // { python27 = python27'; };
# strip down that python version as much as possible
openssl = null;
bzip2 = null;
readline = null;
ncurses = null;
gdbm = null;
sqlite = null;
libffi = null;
rebuildBytecode = false;
stripBytecode = true;
strip2to3 = true;
stripConfig = true;
stripIdlelib = true;
stripTests = true;
enableOptimizations = false;
};
callPackage = lib.callPackageWith pkgs;
callPackage = lib.callPackageWith (pkgs // { python27 = python27'; });
source = callPackage ./source.nix { };
deps = callPackage ./deps.nix { };
in