python3Packages.nassl: improve overridden openssl versions#144939
python3Packages.nassl: improve overridden openssl versions#144939risicle merged 1 commit intoNixOS:masterfrom
Conversation
firstly override the correct respective base openssl version - this gives us an approximately appropriate set of patches and knownVulnerabilities to start with. filter patches that don't apply to the overridden source, fixing the build on darwin.
github-actions
bot
added
the
6.topic: python
ofborg
bot
added
10.rebuild-darwin: 1-10
There was a problem hiding this comment.
Is this a change related to fix macOS 🤔 ? Because I remember this package was working for x86_64-linux after this PR #144638.
If yes, wouldn't it be better to limit the openssl changes to macOS?
Edit: forget it, now I understand the changes.
There was a problem hiding this comment.
Result of nixpkgs-review pr 144939 run on x86_64-linux 1
5 packages marked as broken and skipped:
- python38Packages.nassl
- python38Packages.sslyze
- python39Packages.nassl
- python39Packages.sslyze
- sslyze
nix-build -A python3Packages.nassl
error: Package ‘openssl-1.0.2e’ in /home/thiagoko/Projects/nixpkgs/pkgs/development/libraries/openssl/default.nix:171 is marked as insecure, refusing to evaluate.
Known issues:
- Support for OpenSSL 1.0.2 ended with 2019.
You can install it anyway by allowing this package, using the
following methods:
a) To temporarily allow all insecure packages, you can use an environment
variable for a single invocation of the nix tools:
$ export NIXPKGS_ALLOW_INSECURE=1
b) for `nixos-rebuild` you can add ‘openssl-1.0.2e’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.0.2e"
];
}
c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘openssl-1.0.2e’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"openssl-1.0.2e"
];
}
(use '--show-trace' to show detailed location information)
|
Yeah :(
|
|
Result of 4 packages built:
|
thiagokokada
left a comment
thiagokokada
left a comment
There was a problem hiding this comment.
Result of nixpkgs-review pr 144939 run on x86_64-darwin 1
2 packages failed to build:
- python39Packages.nassl
- sslyze (python39Packages.sslyze)
2 packages built:
- python38Packages.nassl
- python38Packages.sslyze
thiagokokada
left a comment
thiagokokada
left a comment
There was a problem hiding this comment.
Going to soft approve here since I think somebody else should also review the changes.
In my eyes the changes are good. At least the user will have to take a conscious decision of using a software that depends on insecure versions of OpenSSL.
|
@thiagokokada What macos version is this? Does it build from master on this machine? |
10.15.
|
|
Oh of course that's the bug I'm trying to fix. Could it have been the "trying to build the python 3.8 and 3.9 versions at the same time and colliding on ports" darwin problem? |
|
Result of 4 packages built:
Seems like a flaky test maybe?
Also possible. |
| opensslStatic = (openssl.override nasslOpensslArgs).overrideAttrs ( | ||
| opensslStatic = (openssl_1_1.override nasslOpensslArgs).overrideAttrs ( | ||
| oldAttrs: rec { | ||
| name = "openssl-${version}"; |
There was a problem hiding this comment.
| name = "openssl-${version}"; | |
| pname = "openssl"; |
There was a problem hiding this comment.
Nope, it needs name to fill out the download url.
There was a problem hiding this comment.
The openssl package in nixpkgs already uses pname + version in the download url. Maybe we should update it or not. I am not sure. Marking as unresolved so that it is clear where I wrote a comment.
There was a problem hiding this comment.
overrideAttrs needs to override name for the changes to be reflected. pname+version will be concatentated under name when invoked with stdenv.mkDerivation.
There was a problem hiding this comment.
This is done at multiple places wrong. I think this should change internally because it is very unintuitive.
|
Unfortunately marking it with |
You can use this trick to build to other architectures: https://nixos.wiki/wiki/NixOS_on_ARM#Compiling_through_QEMU It is slow, but in this case I don't think it will take that much time. |
|
Ok, I think this is a better state than previous, so am merging. |
|
(I was going to try simply omitting the legacy openssl on aarch64 thinking it might be optional, but I don't think it is) |
|
|
|
The thing is, making any of those conclusions involves us making judgements ourselves what constitutes a vulnerability that is "ok". You mention that nassl inherently uses insecure connections to do its' job - sure - but some of the CVEs involved have potential consequences beyond "your crypto could be broken". What we would not want is people using a vulnerable nassl and scanning a malicious site only to end up with remote (er.. local in this case) code execution without having been warned. I don't think we have the resources to be able to rule out this possibility (and reassess every time a new openssl vulnerability is revealed). I understand your reservations though and it did hurt a bit slapping this |
|
Fair enough, thanks for the quick reply! |
5 participants
Motivation for this change
ZHF #144627
Firstly override the correct respective base openssl version - this gives us an approximately appropriate set of patches and
knownVulnerabilitiesto start with.Filter patches that don't apply to the overridden source, fixing the build on darwin.
Add
knownVulnerabilitiesfor openssl 1.1.1h.Would appreciate an
aarch64-darwintester as I think I might have fixed it there too.Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)