blob: 8499ba7553da5574df67e72d762e8dc3ddd55875 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
{ lib
, pkgs
, pkgsBuildHost
, ...
}:
let
removeKnownVulnerabilities = pkg: pkg.overrideAttrs (old: {
meta = (old.meta or { }) // { knownVulnerabilities = [ ]; };
});
# We are removing `meta.knownVulnerabilities` from `python27`,
# and setting it in `resholve` itself.
python27' = (removeKnownVulnerabilities pkgsBuildHost.python27).override {
self = python27';
pkgsBuildHost = pkgsBuildHost // { python27 = python27'; };
# strip down that python version as much as possible
openssl = null;
bzip2 = null;
readline = null;
ncurses = null;
gdbm = null;
sqlite = null;
rebuildBytecode = false;
stripBytecode = true;
strip2to3 = true;
stripConfig = true;
stripIdlelib = true;
stripTests = true;
enableOptimizations = false;
};
callPackage = lib.callPackageWith (pkgs // { python27 = python27'; });
source = callPackage ./source.nix { };
deps = callPackage ./deps.nix { };
in
rec {
# not exposed in all-packages
resholveBuildTimeOnly = removeKnownVulnerabilities resholve;
# resholve itself
resholve = (callPackage ./resholve.nix {
inherit (source) rSrc version;
inherit (deps.oil) oildev;
inherit (deps) configargparse;
inherit resholve-utils;
# used only in tests
resholve = resholveBuildTimeOnly;
});
# funcs to validate and phrase invocations of resholve
# and use those invocations to build packages
resholve-utils = callPackage ./resholve-utils.nix {
# we can still use resholve-utils without triggering a security warn
# this is safe since we will only use `resholve` at build time
resholve = resholveBuildTimeOnly;
};
}
|