diff --git a/pkgs/development/misc/resholve/default.nix b/pkgs/development/misc/resholve/default.nix
index b2ee3c1d1b57..6b8e71994189 100644
--- a/pkgs/development/misc/resholve/default.nix
+++ b/pkgs/development/misc/resholve/default.nix
@@ -1,8 +1,19 @@
-{ callPackage
+{ lib
+, pkgsBuildHost
+, system
 , ...
 }:
 
 let
+  pkgs = import ../../../.. {
+    inherit system;
+    # Allow python27 with known security issues only for resholve,
+    # see issue #201859 for the reasoning
+    # In resholve case this should not be a security issue,
+    # since it will only be used during build, not runtime
+    config.permittedInsecurePackages = [ pkgsBuildHost.python27.name ];
+  };
+  callPackage = lib.callPackageWith pkgs;
   source = callPackage ./source.nix { };
   deps = callPackage ./deps.nix { };
 in
diff --git a/pkgs/development/misc/resholve/deps.nix b/pkgs/development/misc/resholve/deps.nix
index 604bfa872c25..43882c20cf6c 100644
--- a/pkgs/development/misc/resholve/deps.nix
+++ b/pkgs/development/misc/resholve/deps.nix
@@ -1,4 +1,5 @@
 { callPackage
+, python27
 , ...
 }:
 
@@ -14,5 +15,5 @@
 
 rec {
   # binlore = callPackage ./binlore.nix { };
-  oil = callPackage ./oildev.nix { };
+  oil = callPackage ./oildev.nix { inherit python27; };
 }
diff --git a/pkgs/development/misc/resholve/oildev.nix b/pkgs/development/misc/resholve/oildev.nix
index 00855e7f7bcc..854cbb2a0056 100644
--- a/pkgs/development/misc/resholve/oildev.nix
+++ b/pkgs/development/misc/resholve/oildev.nix
@@ -1,6 +1,6 @@
 { lib
 , stdenv
-, python27Packages
+, python27
 , callPackage
 , fetchFromGitHub
 , makeWrapper
@@ -32,7 +32,7 @@ rec {
     '';
   };
 
-  py-yajl = python27Packages.buildPythonPackage rec {
+  py-yajl = python27.pkgs.buildPythonPackage rec {
     pname = "oil-pyyajl-unstable";
     version = "2019-12-05";
     src = fetchFromGitHub {
@@ -51,7 +51,7 @@ rec {
     (or accepting all of the patches we need to do so).
     This creates one without disturbing upstream too much.
   */
-  oildev = python27Packages.buildPythonPackage rec {
+  oildev = python27.pkgs.buildPythonPackage rec {
     pname = "oildev-unstable";
     version = "2021-07-14";
 
@@ -95,7 +95,7 @@ rec {
 
     nativeBuildInputs = [ re2c file makeWrapper ];
 
-    propagatedBuildInputs = with python27Packages; [ six typing ];
+    propagatedBuildInputs = with python27.pkgs; [ six typing ];
 
     doCheck = true;
 
diff --git a/pkgs/development/misc/resholve/resholve.nix b/pkgs/development/misc/resholve/resholve.nix
index 435cca919da6..6a71962fd4c5 100644
--- a/pkgs/development/misc/resholve/resholve.nix
+++ b/pkgs/development/misc/resholve/resholve.nix
@@ -1,7 +1,7 @@
 { lib
 , stdenv
 , callPackage
-, python27Packages
+, python27
 , installShellFiles
 , rSrc
 , version
@@ -10,7 +10,7 @@
 , resholve-utils
 }:
 
-python27Packages.buildPythonApplication {
+python27.pkgs.buildPythonApplication {
   pname = "resholve";
   inherit version;
   src = rSrc;
@@ -19,7 +19,7 @@ python27Packages.buildPythonApplication {
 
   propagatedBuildInputs = [
     oildev
-    python27Packages.configargparse
+    python27.pkgs.configargparse
   ];
 
   postPatch = ''
@@ -40,7 +40,7 @@ python27Packages.buildPythonApplication {
 
   passthru = {
     inherit (resholve-utils) mkDerivation phraseSolution writeScript writeScriptBin;
-    tests = callPackage ./test.nix { inherit rSrc binlore; };
+    tests = callPackage ./test.nix { inherit rSrc binlore python27; };
   };
 
   meta = with lib; {