python27: fix CVE-2021-23336

[dotlambda]

Motivation for this change

fixes #116917

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[mweinelt]

What is the source of the patchset? Is it python/cpython#24297? Looks like https://gitweb.gentoo.org/fork/cpython.git/commit/?h=gentoo-2.7-vanilla&id=255d1d464a7f45a20986aa014c78e85ef47e6591 in fact.

[mweinelt]

Anyway, not sure if this needs to go to staging, as we don't recurse into python27Packages for a while now.

[dotlambda]

What is the source of the patchset?

See the commit message.

[dotlambda]

Anyway, not sure if this needs to go to staging, as we don't recurse into python27Packages for a while now.

Nixpkgs-review listed more than 2000 packages. I guess most of these are only dependencies though.

[FRidh]

This is an API change. As is argued in https://bugs.python.org/issue42967, this should not have been merged into CPython (and I agree). By now, "the damage is done". It may cause some breakage with some other downstream packages. Be prepared to patch up failing packages that are still in use.

I won't merge this, but won't block it either.

[SuperSandro2000]

Be prepared to patch up failing packages that are still in use.

Python2 package are in a broken state anyway and regularly break üackages that still rely on them like nixops. Also from the issue it is not clear what will be broken.

[dotlambda]

I can confirm that nixops still builds.

[dotlambda]

Even though I agree with @FRidh's assessment that upstream shouldn't have merged the patch, I believe that we should go with (I believe) the majority of Linux distributions and apply this patch. We don't want our users to come across an unexpected difference to other distros.
If anyone agrees, please go ahead and merge.

[AndersonTorres]

IF the upstream merged this, can we get the upstream version then, instead of a specific distro patch?

[dotlambda]

Upstream only applied this patch to versions of Python that are still supported. Python 2.7 is not.

[AndersonTorres]

The other distros are using it.
The patch does not hurt anyone, and even better, it enhances security.
So the best course of action is to use it.
On the other hand, if py27 is abandonwared, we should do the same.

[mweinelt]

On the other hand, if py27 is abandonwared, we should do the same.

People keep python2.7 alive for example for NixOps. 😞

[7c6f434c]

People keep python2.7 alive for example for NixOps. 😞

I wonder if PyPy2 is going to be supported (might be, if the engine is the same, and Python2 parsing is not exactly a thing in need of updates), and if NixOps can be simply run on PyPy2

[AndersonTorres]

Can NixOps be rewritten in Py3?

[dotlambda]

Can NixOps be rewritten in Py3?

See NixOS/nixops#1242.

[AndersonTorres]

On the other hand, if py27 is abandonwared, we should do the same.

People keep python2.7 alive for example for NixOps.

Just to make it clear: I am not saying that we will drop the Py27 files now. We will just not care for them, at least not with the same motivation as before. After all, we erase nothing from a Git repo.