python27: mark as vulnerable/insecure due to EOL on 2020-01-01

More information: https://www.activestate.com/products/python/python-2-end-of-life-security-updates/

1 files changed, 9 insertions, 3 deletions

diff --git a/pkgs/development/interpreters/python/cpython/2.7/default.nix b/pkgs/development/interpreters/python/cpython/2.7/default.nix
index a702f9fd3f353..c3c0687d2cfc5 100644
--- a/pkgs/development/interpreters/python/cpython/2.7/default.nix
+++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix
@@ -351,8 +351,14 @@ in with passthru; stdenv.mkDerivation ({
       license = lib.licenses.psfl;
       platforms = lib.platforms.all;
       maintainers = with lib.maintainers; [ fridh thiagokokada ];
-      # Higher priority than Python 3.x so that `/bin/python` points to `/bin/python2`
-      # in case both 2 and 3 are installed.
-      priority = -100;
+      knownVulnerabilities = [
+        "Python 2.7 has reached its end of life after 2020-01-01. See https://www.python.org/doc/sunset-python-2/."
+        # Quote: That means that we will not improve it anymore after that day,
+        # even if someone finds a security problem in it. You should upgrade to
+        # Python 3 as soon as you can. [..] So, in 2008, we announced that we
+        # would sunset Python 2 in 2015, and asked people to upgrade before
+        # then. Some did, but many did not. So, in 2014, we extended that
+        # sunset till 2020.
+      ];
     };
   } // crossCompileEnv)