diff options
author | Thiago Kenji Okada <thiagokokada@gmail.com> | 2023-01-10 18:21:04 +0000 |
---|---|---|
committer | Thiago Kenji Okada <thiagokokada@gmail.com> | 2023-01-15 12:29:42 +0000 |
commit | c44e0571fccee3d2da453e106bf947f8db575273 (patch) | |
tree | c8a5d3653da185d391ec237e130891e001cb8eea /pkgs/development/misc | |
parent | e13660c50c1f8e76158dff19602206a67806db04 (diff) | |
download | nixpkgs-c44e0571fccee3d2da453e106bf947f8db575273.tar nixpkgs-c44e0571fccee3d2da453e106bf947f8db575273.tar.gz nixpkgs-c44e0571fccee3d2da453e106bf947f8db575273.tar.bz2 nixpkgs-c44e0571fccee3d2da453e106bf947f8db575273.tar.lz nixpkgs-c44e0571fccee3d2da453e106bf947f8db575273.tar.xz nixpkgs-c44e0571fccee3d2da453e106bf947f8db575273.tar.zst nixpkgs-c44e0571fccee3d2da453e106bf947f8db575273.zip |
resholve: mark it as knownVulnerabilities, allow resholve-utils usage
We are marking `resholve` itself with `meta.knownVulnerabilities`, and overriding `resholve-utils` functions's `resholve` with `meta.knownVulnerabilities = [ ]`. This way, we can still use `resholve` at build-time without triggering security warnings, however we can't instantiate `resholve` itself. See: ``` $ nix-build -A resholve error: Package ‘resholve-0.8.4’ in /.../nixpkgs/pkgs/development/misc/resholve/resholve.nix:48 is marked as insecure, refusing to evaluate. $ nix-build -A ix /nix/store/k8cvj1bfxkjj8zdg6kgm7r8942bbj7w7-ix-20190815 ``` For debugging purposes, you can still bypass the security checks and instantiate `resholve` by: ``` $ NIXPKGS_ALLOW_INSECURE=1 nix-build -A resholve /nix/store/77s87hhqymc6x9wpclb04zg5jwm6fsij-resholve-0.8.4 ```
Diffstat (limited to 'pkgs/development/misc')
-rw-r--r-- | pkgs/development/misc/resholve/default.nix | 18 | ||||
-rw-r--r-- | pkgs/development/misc/resholve/resholve.nix | 5 |
2 files changed, 14 insertions, 9 deletions
diff --git a/pkgs/development/misc/resholve/default.nix b/pkgs/development/misc/resholve/default.nix index b90a65c06ed..fa1de609d6a 100644 --- a/pkgs/development/misc/resholve/default.nix +++ b/pkgs/development/misc/resholve/default.nix @@ -5,14 +5,12 @@ }: let - python27' = (pkgsBuildHost.python27.overrideAttrs (old: - { - # Overriding `meta.knownVulnerabilities` here, see #201859 for why it exists - # In resholve case this should not be a security issue, - # since it will only be used during build, not runtime - meta = (old.meta or { }) // { knownVulnerabilities = [ ]; }; - } - )).override { + removeKnownVulnerabilities = pkg: pkg.overrideAttrs (old: { + meta = (old.meta or { }) // { knownVulnerabilities = [ ]; }; + }); + # We are removing `meta.knownVulnerabilities` from `python27`, + # and setting it in `resholve` itself. + python27' = (removeKnownVulnerabilities pkgsBuildHost.python27).override { self = python27'; pkgsBuildHost = pkgsBuildHost // { python27 = python27'; }; # strip down that python version as much as possible @@ -99,6 +97,8 @@ rec { # funcs to validate and phrase invocations of resholve # and use those invocations to build packages resholve-utils = callPackage ./resholve-utils.nix { - inherit resholve; + # we can still use resholve-utils without triggering a security warn + # this is safe since we will only use `resholve` at build time + resholve = removeKnownVulnerabilities resholve; }; } diff --git a/pkgs/development/misc/resholve/resholve.nix b/pkgs/development/misc/resholve/resholve.nix index d0ed5105ae4..839d744be25 100644 --- a/pkgs/development/misc/resholve/resholve.nix +++ b/pkgs/development/misc/resholve/resholve.nix @@ -50,5 +50,10 @@ python27.pkgs.buildPythonApplication { license = with licenses; [ mit ]; maintainers = with maintainers; [ abathur ]; platforms = platforms.all; + knownVulnerabilities = [ '' + resholve depends on python27 (EOL). While it's safe to + run on trusted input in the build sandbox, you should + avoid running it on untrusted input. + '' ]; }; } |