nixpkgs/pkgs/top-level/python2-packages.nix
Theodore Ni 4fc97dce3c
python310Packages.cffi: patch closures to work on M1 machines
Trusts the libffi library inside of nixpkgs on Apple devices.

When Apple's fork of libffi is not detected, cffi assumes that libffi
uses a strategy for creating closures (i.e. callbacks) that is in
certain cases susceptible to a security exploit.

Based on some analysis I did:

  https://groups.google.com/g/python-cffi/c/xU0Usa8dvhk

I believe that libffi already contains the code from Apple's fork that
is deemed safe to trust in cffi.

It uses a more sophisticated strategy for creating trampolines to
support closures that works on Apple Silicon, while the simple approach
that cffi falls back on does not, so this patch enables code that uses
closures on M1 Macs again.

Notably, pyOpenSSL is impacted and will be fixed by this, reported in

  https://github.com/pyca/pyopenssl/issues/873

Note that libffi closures still will not work on signed apps without the
com.apple.security.cs.allow-unsigned-executable-memory entitlement while

  https://github.com/libffi/libffi/pull/621

is still open (which I haven't tested but is my best guess from reading).

I am hopeful that all of these changes will be upstreamed back into cffi
and libffi, and that this comment provides enough breadcrumbs for future
maintainers to track and clean this up.
2022-11-20 16:16:07 -08:00

151 lines
4.8 KiB
Nix

# Extension with Python 2 packages that is overlayed on top
# of the Python 3 packages set. This way, Python 2+3 compatible
# packages can still be used.
self: super:
with self; with super; {
attrs = callPackage ../development/python2-modules/attrs { };
bootstrapped-pip = toPythonModule (callPackage ../development/python2-modules/bootstrapped-pip { });
boto3 = callPackage ../development/python2-modules/boto3 {};
botocore = callPackage ../development/python2-modules/botocore {};
certifi = callPackage ../development/python2-modules/certifi { };
cffi = callPackage ../development/python2-modules/cffi { inherit cffi; };
chardet = callPackage ../development/python2-modules/chardet { };
cheetah = callPackage ../development/python2-modules/cheetah { };
configparser = callPackage ../development/python2-modules/configparser { };
construct = callPackage ../development/python2-modules/construct { };
contextlib2 = callPackage ../development/python2-modules/contextlib2 { };
coverage = callPackage ../development/python2-modules/coverage { };
enum = callPackage ../development/python2-modules/enum { };
filelock = callPackage ../development/python2-modules/filelock { };
futures = callPackage ../development/python2-modules/futures { };
google-apputils = callPackage ../development/python2-modules/google-apputils { };
gtkme = callPackage ../development/python2-modules/gtkme { };
httpretty = callPackage ../development/python2-modules/httpretty { };
hypothesis = callPackage ../development/python2-modules/hypothesis { };
idna = callPackage ../development/python2-modules/idna { };
importlib-metadata = callPackage ../development/python2-modules/importlib-metadata { };
jinja2 = callPackage ../development/python2-modules/jinja2 { };
marisa = callPackage ../development/python2-modules/marisa {
inherit (pkgs) marisa;
};
markdown = callPackage ../development/python2-modules/markdown { };
markupsafe = callPackage ../development/python2-modules/markupsafe { };
mock = callPackage ../development/python2-modules/mock { };
more-itertools = callPackage ../development/python2-modules/more-itertools { };
mutagen = callPackage ../development/python2-modules/mutagen { };
numpy = callPackage ../development/python2-modules/numpy { };
packaging = callPackage ../development/python2-modules/packaging { };
pillow = callPackage ../development/python2-modules/pillow {
inherit (pkgs) freetype libjpeg zlib libtiff libwebp tcl lcms2 tk;
inherit (pkgs.xorg) libX11;
};
pip = callPackage ../development/python2-modules/pip { };
pluggy = callPackage ../development/python2-modules/pluggy { };
prettytable = callPackage ../development/python2-modules/prettytable { };
protobuf = callPackage ../development/python2-modules/protobuf {
disabled = isPyPy;
protobuf = pkgs.protobuf3_17; # last version compatible with Python 2
};
pycairo = callPackage ../development/python2-modules/pycairo {
inherit (pkgs.buildPackages) meson;
};
pygments = callPackage ../development/python2-modules/Pygments { };
pygobject3 = callPackage ../development/python2-modules/pygobject {
inherit (pkgs) meson;
};
pygtk = callPackage ../development/python2-modules/pygtk { };
pyparsing = callPackage ../development/python2-modules/pyparsing { };
pyroma = callPackage ../development/python2-modules/pyroma { };
pysqlite = callPackage ../development/python2-modules/pysqlite { };
pytest = pytest_4;
pytest_4 = callPackage
../development/python2-modules/pytest {
# hypothesis tests require pytest that causes dependency cycle
hypothesis = self.hypothesis.override {
doCheck = false;
};
};
pytest-runner = callPackage ../development/python2-modules/pytest-runner { };
pytest-xdist = callPackage ../development/python2-modules/pytest-xdist { };
pyyaml = callPackage ../development/python2-modules/pyyaml { };
qpid-python = callPackage ../development/python2-modules/qpid-python { };
recoll = disabled super.recoll;
rivet = disabled super.rivet;
rpm = disabled super.rpm;
s3transfer = callPackage ../development/python2-modules/s3transfer { };
scandir = callPackage ../development/python2-modules/scandir { };
sequoia = disabled super.sequoia;
setuptools = callPackage ../development/python2-modules/setuptools { };
setuptools-scm = callPackage ../development/python2-modules/setuptools-scm { };
sphinxcontrib-websupport = callPackage ../development/python2-modules/sphinxcontrib-websupport { };
sphinx = callPackage ../development/python2-modules/sphinx { };
TurboCheetah = callPackage ../development/python2-modules/TurboCheetah { };
typing = callPackage ../development/python2-modules/typing { };
zeek = disabled super.zeek;
zipp = callPackage ../development/python2-modules/zipp { };
}