From c44e0571fccee3d2da453e106bf947f8db575273 Mon Sep 17 00:00:00 2001
From: Thiago Kenji Okada <thiagokokada@gmail.com>
Date: Tue, 10 Jan 2023 18:21:04 +0000
Subject: resholve: mark it as knownVulnerabilities, allow resholve-utils usage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We are marking `resholve` itself with `meta.knownVulnerabilities`, and
overriding `resholve-utils` functions's `resholve` with
`meta.knownVulnerabilities = [ ]`.

This way, we can still use `resholve` at build-time without triggering
security warnings, however we can't instantiate `resholve` itself. See:

```
$ nix-build -A resholve
error: Package ‘resholve-0.8.4’ in /.../nixpkgs/pkgs/development/misc/resholve/resholve.nix:48 is marked as insecure, refusing to evaluate.

$ nix-build -A ix
/nix/store/k8cvj1bfxkjj8zdg6kgm7r8942bbj7w7-ix-20190815
```

For debugging purposes, you can still bypass the security checks and
instantiate `resholve` by:

```
$ NIXPKGS_ALLOW_INSECURE=1 nix-build -A resholve
/nix/store/77s87hhqymc6x9wpclb04zg5jwm6fsij-resholve-0.8.4
```
---
 pkgs/development/misc/resholve/default.nix  | 18 +++++++++---------
 pkgs/development/misc/resholve/resholve.nix |  5 +++++
 2 files changed, 14 insertions(+), 9 deletions(-)

(limited to 'pkgs/development/misc')

diff --git a/pkgs/development/misc/resholve/default.nix b/pkgs/development/misc/resholve/default.nix
index b90a65c06ed11..fa1de609d6acc 100644
--- a/pkgs/development/misc/resholve/default.nix
+++ b/pkgs/development/misc/resholve/default.nix
@@ -5,14 +5,12 @@
 }:
 
 let
-  python27' = (pkgsBuildHost.python27.overrideAttrs (old:
-    {
-      # Overriding `meta.knownVulnerabilities` here, see #201859 for why it exists
-      # In resholve case this should not be a security issue,
-      # since it will only be used during build, not runtime
-      meta = (old.meta or { }) // { knownVulnerabilities = [ ]; };
-    }
-  )).override {
+  removeKnownVulnerabilities = pkg: pkg.overrideAttrs (old: {
+    meta = (old.meta or { }) // { knownVulnerabilities = [ ]; };
+  });
+  # We are removing `meta.knownVulnerabilities` from `python27`,
+  # and setting it in `resholve` itself.
+  python27' = (removeKnownVulnerabilities pkgsBuildHost.python27).override {
     self = python27';
     pkgsBuildHost = pkgsBuildHost // { python27 = python27'; };
     # strip down that python version as much as possible
@@ -99,6 +97,8 @@ rec {
   # funcs to validate and phrase invocations of resholve
   # and use those invocations to build packages
   resholve-utils = callPackage ./resholve-utils.nix {
-    inherit resholve;
+    # we can still use resholve-utils without triggering a security warn
+    # this is safe since we will only use `resholve` at build time
+    resholve = removeKnownVulnerabilities resholve;
   };
 }
diff --git a/pkgs/development/misc/resholve/resholve.nix b/pkgs/development/misc/resholve/resholve.nix
index d0ed5105ae4cd..839d744be2544 100644
--- a/pkgs/development/misc/resholve/resholve.nix
+++ b/pkgs/development/misc/resholve/resholve.nix
@@ -50,5 +50,10 @@ python27.pkgs.buildPythonApplication {
     license = with licenses; [ mit ];
     maintainers = with maintainers; [ abathur ];
     platforms = platforms.all;
+    knownVulnerabilities = [ ''
+      resholve depends on python27 (EOL). While it's safe to
+      run on trusted input in the build sandbox, you should
+      avoid running it on untrusted input.
+    '' ];
   };
 }
-- 
cgit 1.4.1