python27: switch to ActiveState's fork for Python 2#203428
python27: switch to ActiveState's fork for Python 2#203428thiagokokada merged 3 commits intoNixOS:stagingfrom thiagokokada:python27-activestate
Conversation
ActiveState is a company that is maintaining a fork of Python 2 to fixes its security issues. Their support is paid, however the code is open-source. See the details here: https://www.activestate.com/products/python/python-2-end-of-life-security-updates/ This enable us to drop a bunch of CVE's patches for Python 2.7 and also it should be easier to maintain, since we can just bump the version once ActiveState tags a new version.
github-actions
bot
added
the
6.topic: python
| ./profile-task.patch | ||
|
|
||
| # https://www.activestate.com/products/python/python-2-end-of-life-security-updates/ | ||
| ./CVE-2019-20907.patch |
There was a problem hiding this comment.
|
|
||
| # https://www.activestate.com/products/python/python-2-end-of-life-security-updates/ | ||
| ./CVE-2019-20907.patch | ||
| ./CVE-2020-8492.patch |
There was a problem hiding this comment.
| # https://www.activestate.com/products/python/python-2-end-of-life-security-updates/ | ||
| ./CVE-2019-20907.patch | ||
| ./CVE-2020-8492.patch | ||
| ./CVE-2020-26116.patch |
There was a problem hiding this comment.
| ./CVE-2019-20907.patch | ||
| ./CVE-2020-8492.patch | ||
| ./CVE-2020-26116.patch | ||
| ./CVE-2020-27619.patch |
There was a problem hiding this comment.
| ./CVE-2020-8492.patch | ||
| ./CVE-2020-26116.patch | ||
| ./CVE-2020-27619.patch | ||
| ./CVE-2021-3177.patch |
There was a problem hiding this comment.
| ./CVE-2020-26116.patch | ||
| ./CVE-2020-27619.patch | ||
| ./CVE-2021-3177.patch | ||
| ./CVE-2021-23336.patch |
There was a problem hiding this comment.
ofborg
bot
added
11.by: package-maintainer
|
BTW, this will fix CVE-2022-0391 (see ActiveState/cpython@8c70fb4), that was not fixed in #203362, so we should merge it ASAP if this is the way we want to go. |
|
In However, this CVE-2021-3733 is a DoS bug so it shouldn't be that problematic. And it should be fixed soon anyway (once ActiveState tags a new release). |
thiagokokada
added
the
1.severity: security
Decided to backport this patch. Now all known issues from ActiveState should be fixed. |
FRidh
left a comment
FRidh
left a comment
There was a problem hiding this comment.
I think this is a good idea.
I have not tested the build but by reading what it is about and skimming the commits they added I see no reason why there would be any issues.
|
Hey, I remember some time ago reading that the Python foundation made a public position that they would send c&d to forks of python 2 that created new tags (like 2.7.18.5) nad didn't differentiate the name enough from python. |
|
Successfully created backport PR #203458 for |
I wouldn't worry it too much right now, unless Python started to enforce it. In the worst case, we can patch ActiveState to show |
|
A thread about trademark anda "Python 2.8" fork. |
ActivateState's fork is just a few security fixes, no new features. It is not that much different from us shipping a few extra security patches with the exception of the add prefix to the version. If Python devs complain about it, I can happily patch the version out. Otherwise let's just keep it as-is. |
|
Sounds good |
...into staging-next. This is a topologically earlier re-merge (than 8bfb5da) as the rebuild amount isn't large.
4 participants
Description of changes
ActiveState is a company that is maintaining a fork of Python 2 to fixes its security issues. Their support is paid, however the code is open-source. See the details here: https://www.activestate.com/products/python/python-2-end-of-life-security-updates/
This enable us to drop a bunch of CVE's patches for Python 2.7 and also it should be easier to maintain, since we can just bump the version once ActiveState tags a new version.
See the discussion of #201859 for the reasoning.
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)nixos/doc/manual/md-to-db.shto update generated release notes