mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-21 21:09:00 +02:00
resholve: mark it as knownVulnerabilities, allow resholve-utils usage
We are marking `resholve` itself with `meta.knownVulnerabilities`, and overriding `resholve-utils` functions's `resholve` with `meta.knownVulnerabilities = [ ]`. This way, we can still use `resholve` at build-time without triggering security warnings, however we can't instantiate `resholve` itself. See: ``` $ nix-build -A resholve error: Package ‘resholve-0.8.4’ in /.../nixpkgs/pkgs/development/misc/resholve/resholve.nix:48 is marked as insecure, refusing to evaluate. $ nix-build -A ix /nix/store/k8cvj1bfxkjj8zdg6kgm7r8942bbj7w7-ix-20190815 ``` For debugging purposes, you can still bypass the security checks and instantiate `resholve` by: ``` $ NIXPKGS_ALLOW_INSECURE=1 nix-build -A resholve /nix/store/77s87hhqymc6x9wpclb04zg5jwm6fsij-resholve-0.8.4 ```
This commit is contained in:
parent
e13660c50c
commit
c44e0571fc
|
@ -5,14 +5,12 @@
|
|||
}:
|
||||
|
||||
let
|
||||
python27' = (pkgsBuildHost.python27.overrideAttrs (old:
|
||||
{
|
||||
# Overriding `meta.knownVulnerabilities` here, see #201859 for why it exists
|
||||
# In resholve case this should not be a security issue,
|
||||
# since it will only be used during build, not runtime
|
||||
meta = (old.meta or { }) // { knownVulnerabilities = [ ]; };
|
||||
}
|
||||
)).override {
|
||||
removeKnownVulnerabilities = pkg: pkg.overrideAttrs (old: {
|
||||
meta = (old.meta or { }) // { knownVulnerabilities = [ ]; };
|
||||
});
|
||||
# We are removing `meta.knownVulnerabilities` from `python27`,
|
||||
# and setting it in `resholve` itself.
|
||||
python27' = (removeKnownVulnerabilities pkgsBuildHost.python27).override {
|
||||
self = python27';
|
||||
pkgsBuildHost = pkgsBuildHost // { python27 = python27'; };
|
||||
# strip down that python version as much as possible
|
||||
|
@ -99,6 +97,8 @@ rec {
|
|||
# funcs to validate and phrase invocations of resholve
|
||||
# and use those invocations to build packages
|
||||
resholve-utils = callPackage ./resholve-utils.nix {
|
||||
inherit resholve;
|
||||
# we can still use resholve-utils without triggering a security warn
|
||||
# this is safe since we will only use `resholve` at build time
|
||||
resholve = removeKnownVulnerabilities resholve;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -50,5 +50,10 @@ python27.pkgs.buildPythonApplication {
|
|||
license = with licenses; [ mit ];
|
||||
maintainers = with maintainers; [ abathur ];
|
||||
platforms = platforms.all;
|
||||
knownVulnerabilities = [ ''
|
||||
resholve depends on python27 (EOL). While it's safe to
|
||||
run on trusted input in the build sandbox, you should
|
||||
avoid running it on untrusted input.
|
||||
'' ];
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue