The package set hasn't been working for a long time now, due to infinite
recursions, that nobody was going to fix.
The release is going to go EOL in 2023/06 and we don't want to ship it
in NixOS 23.05 anyway.
Without `--with-system-{ffi,expat}` flags, Python will use its own
embedded libraries that are out-of-date. Thanks to it, they can be a
security issue. So let's use our own libraries instead.
This is already what Python 3.x does, so should be safe.
This PR strips down the modified `python27` derivation used by `resholve`. The
idea is to reduce the possible security issues, and also to make it easier to
bootstrap.
ActiveState is a company that is maintaining a fork of Python 2 to fixes
its security issues. Their support is paid, however the code is
open-source. See the details here:
https://www.activestate.com/products/python/python-2-end-of-life-security-updates/
This enable us to drop a bunch of CVE's patches for Python 2.7 and also
it should be easier to maintain, since we can just bump the version once
ActiveState tags a new version.
Before the change separate-debug-info.sh did the stripping itself.
This scheme has a few problems:
1. Stripping happens only on ELF files. *.a and *.o files are skipped.
Derivations have to do it manually. Usually incorrectly
as they don't run $RANLIB (true for `glibc` and `musl`).
2. Stripping happens on all paths. Ideally only `stripDebugList` paths
should be considered.
3. Host strip is called on Target files.
This change offloads stripping logic to strip hook. This strips more
files for `glibc` and `musl`. Now we can remove most $STRIP calls
from individual derivations.
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Python package sets can be overridden by overriding an interpreter
and passing in `packageOverrides = self: super: {...};`. This is fine
in case you need a single interpreter, however, it does not help you
when you want to override all sets.
With this change it is possible to override all sets at once by
appending a list of "extensions" to `pythonPackagesExtensions`.
From reading the implementation you might wonder why a list is used, and
not
`lib.composeExtensions`? The reason is the latter requires knowledge of
the library function. This approach should be easier for most users
as it is similar to how we append to lists of e.g. inputs or patches
when overriding a derivation.
The PEP600 standard gives Python's naming scheme for various
architectures; it follows the convention which was in use by Fedora in
2014. According to PEP600, the architecture name for Power PC is
`ppc64le`, not `powerpc64le`. This is also how python3 declares its
"supported wheels" under Debian on PowerPC, as checked with `pip debug
--verbose`
$ pip debug --verbose | grep powerpc
$ pip debug --verbose | grep ppc | head
cp39-cp39-manylinux_2_31_ppc64le
cp39-cp39-manylinux_2_30_ppc64le
cp39-cp39-manylinux_2_29_ppc64le
cp39-cp39-manylinux_2_28_ppc64le
cp39-cp39-manylinux_2_27_ppc64le
cp39-cp39-manylinux_2_26_ppc64le
cp39-cp39-manylinux_2_25_ppc64le
cp39-cp39-manylinux_2_24_ppc64le
cp39-cp39-manylinux_2_23_ppc64le
Let's adjust the `pythonHostPlatform` expression in
cpython/default.nix to pass the architecture using the naming scheme
Python expects.
Verified on a Raptor Computing Systems Talos II. Without this commit,
PyQt5 fails to build, failing with "unsupported wheel". With this
commit, it builds successfully.
