| blob | b995561a9c8761144c54c284b7b3808e3f711e22 |
1 {
2 lib,
3 pkgsBuildHost,
4 ...
5 }:
7 let
8 removeKnownVulnerabilities =
9 pkg:
10 pkg.overrideAttrs (old: {
11 meta = (old.meta or { }) // {
12 knownVulnerabilities = [ ];
13 };
14 });
15 # We are removing `meta.knownVulnerabilities` from `python27`,
16 # and setting it in `resholve` itself.
17 python27' = (removeKnownVulnerabilities pkgsBuildHost.python27).override {
18 self = python27';
19 pkgsBuildHost = pkgsBuildHost // {
20 python27 = python27';
21 };
22 # strip down that python version as much as possible
23 openssl = null;
24 bzip2 = null;
25 readline = null;
26 ncurses = null;
27 gdbm = null;
28 sqlite = null;
29 rebuildBytecode = false;
30 stripBytecode = true;
31 strip2to3 = true;
32 stripConfig = true;
33 stripIdlelib = true;
34 stripTests = true;
35 enableOptimizations = false;
36 };
37 callPackage = lib.callPackageWith (pkgsBuildHost // { python27 = python27'; });
38 source = callPackage ./source.nix { };
39 deps = callPackage ./deps.nix { };
40 in
41 rec {
42 # not exposed in all-packages
43 resholveBuildTimeOnly = removeKnownVulnerabilities resholve;
44 # resholve itself
45 resholve = (
46 callPackage ./resholve.nix {
47 inherit (source) rSrc version;
48 inherit (deps.oil) oildev;
49 inherit (deps) configargparse;
50 inherit resholve-utils;
51 # used only in tests
52 resholve = resholveBuildTimeOnly;
53 }
54 );
55 # funcs to validate and phrase invocations of resholve
56 # and use those invocations to build packages
57 resholve-utils = callPackage ./resholve-utils.nix {
58 # we can still use resholve-utils without triggering a security warn
59 # this is safe since we will only use `resholve` at build time
60 resholve = resholveBuildTimeOnly;
61 };
62 }