jasper: delete from nixpkgs.

[danderson]

Motivation for this change

Fixes #55388.

JasPer is unmaintained upstream, and is accumulating unpatched CVEs. The maintainer has said to not expect improvement any time soon. Other distros have already removed this package.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[danderson]

cc @peti to check my cabal2nix update.

[danderson]

nix-review pr is in flight now, will report back if it finds problems.

[danderson]

Never mind, nix-review pr needs 30G of cached packages, I only have 22G available :(.

[ckauhaus]

@danderson now that 20.03 is out this should be merged to master so that we stop shipping jasper with 20.09. Would you rebase your PR?

[worldofpeace]

Pinging for rebase again.

[danderson]

Heard - thanks for the reminder. Doing this later tonight.

[danderson]

Rebased. @ckauhaus @worldofpeace take a look, and trigger automation if any needs triggering?

[mdaiter]

Looks good to me! Can't run this now though.

[worldofpeace]

Aaargh, "hsmagick" depends on jasper and it's a generated package set. I'll see what needs to be done there.

[worldofpeace]

Probably need to drop this from cabal2nix https://github.com/NixOS/cabal2nix/blob/d3635a7eb003b08579ef41b7b41051699c369e85/src/Distribution/Nixpkgs/Haskell/FromCabal/License.hs#L112, and I think there needs to some code added somewhere to not bring in hsmagick. cc @peti

[danderson]

In my original change, I'd hand-edited the haskell nix filesto clean that up as well, but was told to remove it and let haskell folks handle it downstream. Allegedly the package using jasper is already marked broken, so shouldn't be a huge deal in the interim? But I'm out of my depth here.

[worldofpeace]

Yep, it is marked as broken https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/haskell-modules/configuration-hackage2nix.yaml#L2851

[worldofpeace]

@danderson I opened NixOS/cabal2nix#469 and #97588

[OPNA2608]

The issue originally linked in the package has been resolved since July, upstream have started being active again and the latest release is mere 9 days old. Maybe this should be reverted and the package updated instead?

https://github.com/jasper-software/jasper/releases/tag/version-2.0.20
jasper-software/jasper#208

Current state of this project:

• all known CVEs fixed.
• 3 people with commit rights (bottleneck solved)
• more contributors
• distributions notified

[worldofpeace]

Oh, awesome 👍