python3Packages.tlsprofiler: init at 1.0 #91380
Conversation
| buildPythonPackage rec { | ||
| pname = "tlsprofiler"; | ||
| version = "1.0"; | ||
|
|
||
| src = fetchFromGitHub { | ||
| owner = "danielfett"; | ||
| repo = pname; | ||
| rev = "c4a9cdcf951343ef6cf670df9351c197c6aaab80"; | ||
| sha256 = "1ng9ba1w6x9x86cngxx9p4dfjzkf3nn0w4ibn1kmwnf2rgdl6clw"; | ||
| }; | ||
|
|
||
| patches = [ ./tlsprofiler-setup-requirements.patch ]; | ||
|
|
||
| # Tests require Docker to set up web servers which serve a specific profile | ||
| doCheck = false; | ||
|
|
||
| propagatedBuildInputs = [ requests cryptography nasslTlsprofiler sslyzeTlsprofiler ]; |
There was a problem hiding this comment.
if you just care about the application, you can pin packages like this, but we try to discourage introducing different version of available packages, as it incoherent package sets (python can only import one version of a library, so depending on which one is listed first, it will break the other)
for a package with pinned dependencies, you can look at aws-cli
There was a problem hiding this comment.
Thanks for your review. I agree with your assessment that pinning these versions should be avoided; particularly, as it isn't unlikely that someone who uses tlsprofiler in their Python project might also use sslyze. I'd propose the following strategy:
- Ask the authors of TLS Profiler if they think it is possible to make some efforts to merge their fork of Nassl/SSLyze with upstream. To that end, I've created an issue: Port Nassl/SSLyze to upstream danielfett/tlsprofiler#6. If this works out, we could include a modified version of this PR without further problems, I guess.
- If this won't happen for any reason, I'll modify the PR to include the application only (similar to
awscli).
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
| } | ||
| ); | ||
| sslyzeTlsprofiler = (sslyze.override { nassl = nasslTlsprofiler; }).overrideAttrs ( | ||
| oldAttrs: rec { |
| diff --git a/requirements.txt b/requirements.txt | ||
| index a783532..34aa149 100644 | ||
| --- a/requirements.txt | ||
| +++ b/requirements.txt | ||
| @@ -1,4 +1,2 @@ | ||
| --e git+https://github.com/fabian-hk/sslyze.git@tls_profiler#egg=sslyze | ||
| -# -e git+https://github.com/fabian-hk/nassl.git@tls_profiler#egg=nassl | ||
| requests | ||
| cryptography>=2.8 | ||
| diff --git a/setup.py b/setup.py | ||
| index e9289df..262c521 100644 | ||
| --- a/setup.py | ||
| +++ b/setup.py | ||
| @@ -22,6 +22,7 @@ setup( | ||
| python_requires='>=3.6', | ||
| install_requires=[ | ||
| 'requests', | ||
| - 'sslyze @ git+https://github.com/fabian-hk/sslyze.git@tls_profiler#egg=sslyze', | ||
| + 'sslyze', | ||
| + 'cryptography', | ||
| ], | ||
| ) | ||
|
|
There was a problem hiding this comment.
I think this patch would be easier with just two substituteInPlace's.
|
|
||
| # Also make `run.py` available as `tlsprofiler` application | ||
| postInstall = '' | ||
| sed -i '1s|^|#!/usr/bin/env python3\n|' run.py |
|
|
||
| patches = [ | ||
| # Apply upstream patch to update expired cert chain | ||
| ./nassl-0001-Fix-test.patch |
There was a problem hiding this comment.
If this is an upstream patch can we use fetchpatch instead?
| }: | ||
| let | ||
| nasslTlsprofiler = nassl.overrideAttrs ( | ||
| oldAttrs: rec { |
There was a problem hiding this comment.
I don't think rec is necessary.
stale
bot
removed
2.status: stale
|
Closing due to no response from author in a while. |
Motivation for this change
Tlsprofiler allows to test if a TLS server adheres to Mozzilla's server side TLS recommendations. NixOS also relies on these guidelines for Nginx, implementing the "intermediate" profile as a configuration flag. The original authors of Tlsprofiler provide a web version here.
Tlsprofiler makes use of Nassl/SSLyze, which have been merged recently. It does, however, rely on a forked version of Nassl and SSLyze. In contrast to the Nixpgks version of SSLyze, I had to disable the tests as virtually all are online. They passed just fine though: https://gist.github.com/veehaitch/a7eb5164ff1480dd47da3500509897d3
One may use Tlsprofiler as a Python 3 package or as a command line application; see
tlsprofiler -hfor further information.Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)