tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / pkgs / development / misc / resholve / default.nix
at 23.11 54 lines 1.7 kB view raw
1{ lib 2, pkgs 3, pkgsBuildHost 4, ... 5}: 6 7let 8 removeKnownVulnerabilities = pkg: pkg.overrideAttrs (old: { 9 meta = (old.meta or { }) // { knownVulnerabilities = [ ]; }; 10 }); 11 # We are removing `meta.knownVulnerabilities` from `python27`, 12 # and setting it in `resholve` itself. 13 python27' = (removeKnownVulnerabilities pkgsBuildHost.python27).override { 14 self = python27'; 15 pkgsBuildHost = pkgsBuildHost // { python27 = python27'; }; 16 # strip down that python version as much as possible 17 openssl = null; 18 bzip2 = null; 19 readline = null; 20 ncurses = null; 21 gdbm = null; 22 sqlite = null; 23 rebuildBytecode = false; 24 stripBytecode = true; 25 strip2to3 = true; 26 stripConfig = true; 27 stripIdlelib = true; 28 stripTests = true; 29 enableOptimizations = false; 30 }; 31 callPackage = lib.callPackageWith (pkgs // { python27 = python27'; }); 32 source = callPackage ./source.nix { }; 33 deps = callPackage ./deps.nix { }; 34in 35rec { 36 # not exposed in all-packages 37 resholveBuildTimeOnly = removeKnownVulnerabilities resholve; 38 # resholve itself 39 resholve = callPackage ./resholve.nix { 40 inherit (source) rSrc version; 41 inherit (deps.oil) oildev; 42 inherit (deps) configargparse; 43 inherit resholve-utils; 44 # used only in tests 45 resholve = resholveBuildTimeOnly; 46 }; 47 # funcs to validate and phrase invocations of resholve 48 # and use those invocations to build packages 49 resholve-utils = callPackage ./resholve-utils.nix { 50 # we can still use resholve-utils without triggering a security warn 51 # this is safe since we will only use `resholve` at build time 52 resholve = resholveBuildTimeOnly; 53 }; 54}