Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

python3Packages.tlsprofiler: init at 1.0 #91380

wants to merge 1 commit into
base: master


Copy link

veehaitch commented Jun 23, 2020

Motivation for this change

Tlsprofiler allows to test if a TLS server adheres to Mozzilla's server side TLS recommendations. NixOS also relies on these guidelines for Nginx, implementing the "intermediate" profile as a configuration flag. The original authors of Tlsprofiler provide a web version here.

Tlsprofiler makes use of Nassl/SSLyze, which have been merged recently. It does, however, rely on a forked version of Nassl and SSLyze. In contrast to the Nixpgks version of SSLyze, I had to disable the tests as virtually all are online. They passed just fine though:

One may use Tlsprofiler as a Python 3 package or as a command line application; see tlsprofiler -h for further information.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits
@veehaitch veehaitch requested review from FRidh and jonringer as code owners Jun 23, 2020
@ofborg ofborg bot added the 6.topic: python label Jun 23, 2020
buildPythonPackage rec {
pname = "tlsprofiler";
version = "1.0";

src = fetchFromGitHub {
owner = "danielfett";
repo = pname;
rev = "c4a9cdcf951343ef6cf670df9351c197c6aaab80";
sha256 = "1ng9ba1w6x9x86cngxx9p4dfjzkf3nn0w4ibn1kmwnf2rgdl6clw";

patches = [ ./tlsprofiler-setup-requirements.patch ];

# Tests require Docker to set up web servers which serve a specific profile
doCheck = false;

propagatedBuildInputs = [ requests cryptography nasslTlsprofiler sslyzeTlsprofiler ];
Comment on lines +43 to +59

This comment has been minimized.

Copy link

jonringer Jun 24, 2020


if you just care about the application, you can pin packages like this, but we try to discourage introducing different version of available packages, as it incoherent package sets (python can only import one version of a library, so depending on which one is listed first, it will break the other)

for a package with pinned dependencies, you can look at aws-cli

This comment has been minimized.

Copy link

veehaitch Jun 24, 2020

Author Contributor

Thanks for your review. I agree with your assessment that pinning these versions should be avoided; particularly, as it isn't unlikely that someone who uses tlsprofiler in their Python project might also use sslyze. I'd propose the following strategy:

  1. Ask the authors of TLS Profiler if they think it is possible to make some efforts to merge their fork of Nassl/SSLyze with upstream. To that end, I've created an issue: danielfett/tlsprofiler#6. If this works out, we could include a modified version of this PR without further problems, I guess.
  2. If this won't happen for any reason, I'll modify the PR to include the application only (similar to awscli).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.