Vulnerability roundup 84: python-2.7.18: 4 advisories

[ckauhaus]

search, files

• CVE-2017-17522 CVSSv3=8.8 (nixos-20.03, nixos-unstable)
• CVE-2019-9674 CVSSv3=7.5 (nixos-20.03, nixos-unstable)
• CVE-2017-18207 CVSSv3=6.5 (nixos-20.03, nixos-unstable)
• CVE-2015-5652 (nixos-20.03, nixos-unstable)

Scanned versions: nixos-20.03: 82b5f87; nixos-unstable: 0f5ce2f. May contain false positives.

[wamserma]

Python 2.7.18 is EOL. The only solutions are to mark it as insecure or to remove it.

[vcunat]

There are some distributions that still guarantee support of Python 2 for a few years (say, RHEL), so if someone from our community is sufficiently motivated, it shouldn't be too hard to piggyback on their fixes. In any case, we should try to migrate everything away from it, but I suspect in some cases it will still be very hard.

[wamserma]

@vcunat Agree. But we should have a clear statement in the docs stating that Python 2.7.18 gets some maintenance until it can be dropped, but that we can not guarantee timely fixes for security vulns and porting of patches from other distros.

[vcunat]

Yes, I agree with marking it as insecure unless/until someone steps up and promises to do this work.

EDIT: but we'll need to check how many packages gets killed by that step – most may be just from "safe" build-time-only dependencies (possibly transitive ones). And 20.03 release may be a problem.

[wamserma]

By summoning the powers of Nix it should be possible to produce a list of packages that specifically depend on python2. Of course, 20.03 hast to keep python2. But given that the EOL did nor come as a surprise (but after 20.03 was released), we have to keep it in, but can give porting fixes lower priority than making it disposable before 20.09.

[vcunat]

Too bad

$ ./maintainers/scripts/rebuild-amount.sh HEAD HEAD^
  23109 x86_64-darwin
  33322 x86_64-linux

(I won't even post the --print version.)

[wamserma]

That is because most Python stuff is built against all available versions. We need those packages, that specifically request python2 or have sth. like !py3k. Some sort of difference of sets.

[vcunat]

That is not the main reason. pythonPackages set is not as large at all. 30k is roughly half of all packages.

[wamserma]

Yes, but still I think/hope that most of these would not break if they had only python3 available - unless there is a huge pile of old unmaintained stuff in Nixpkgs.

[vcunat]

That's possible. It's also possible that majority is caused by a very small handful of packages (I don't know how to check easily).

[andersk]

A quick grep shows only a few hundred direct references to python2 in the tree, so I imagine most of indirect ones go via the default python = python2 alias. Maybe the first goal should be to change that alias, remove it, or deprecate it with a warning?

[ckauhaus]

What we see here is for some part not a problem specific to NixOS, but one of the Python community at large. Even 10+ years after the initial release of Python 3, there is still a lot of Python 2 stuff floating around that seems not to get migrated to Python 3.

This problem is too large to be solved entirely inside NixOS. What we could do is this:

• Change the python alias so that anyone gets Python 3 by default
• Deprecate or remove packages which are still incompatible with Python 23 after a while

A first step for 20.09 would be to change the default alias, move as many packages as possible to Python 3 and issue a warning for the remaining ones.

[wamserma]

This has already been discussed here: https://discourse.nixos.org/t/upcoming-python-breakage/7554/3?u=wamserma

[ckauhaus]

None of the mentioned CVEs have a fix for Python2 readily available (and one is Windows only). Let's close this.

[wamserma]

Actually, we should keep this open until python2 is marked as insecure in master.