python3Packages.ecdsa: mark insecure (#454346)

      [

        b2sdk

        boto3

        cffi

        cryptography

        ecdsa

        idna

        pygobject3

        fasteners

        lockfile

        paramiko

        pyasn1

        pycrypto

        # Currently marked as broken.

        # pydrive2

      ]

  buildInputs = [ libgcrypt ];

  dependencies = with python3.pkgs; [

    pycrypto

    pyserial

    pyusb

    rangeparser

{

  lib,

  buildPythonPackage,

  fetchPypi,

  pkgs,

  fetchFromGitHub,

  gitUpdater,

  hypothesis,

  openssl,

  pytestCheckHook,

  setuptools,

  six,

}:

buildPythonPackage rec {

  pname = "ecdsa";

  version = "0.19.1";

  format = "setuptools";

  pyproject = true;

  src = fetchPypi {

    inherit pname version;

    hash = "sha256-R4y6e2JVWGb8s7s/6YXgbey9to71VxPE5auYxX1QjmE=";

  src = fetchFromGitHub {

    owner = "tlsfuzzer";

    repo = "python-ecdsa";

    tag = "python-ecdsa-${version}";

    hash = "sha256-PjOjHQziQ9ohXH82Ocaowj/AtsXHMHDhatFPQNccyC8=";

  };

  propagatedBuildInputs = [ six ];

  # Only needed for tests

  nativeCheckInputs = [ pkgs.openssl ];

  build-system = [ setuptools ];

  meta = with lib; {

  dependencies = [ six ];

  pythonImportsCheck = [ "ecdsa" ];

  nativeCheckInputs = [

    hypothesis

    openssl # Only needed for tests

    pytestCheckHook

  ];

  passthru.updateScript = gitUpdater {

    rev-prefix = "python-ecdsa-";

  };

  meta = {

    changelog = "https://github.com/tlsfuzzer/python-ecdsa/blob/${src.tag}/NEWS";

    description = "ECDSA cryptographic signature library";

    homepage = "https://github.com/warner/python-ecdsa";

    license = licenses.mit;

    license = lib.licenses.mit;

    knownVulnerabilities = [

      # "I don't want people to use this library in production environments.

      # It's a teaching tool, it's a testing tool, it's absolutely not an

      # production grade implementation."

      # https://github.com/tlsfuzzer/python-ecdsa/issues/330

      "CVE-2024-23342"

    ];

  };

}

{

  lib,

  buildPythonPackage,

  pythonOlder,

  aenum,

  home-assistant-chip-wheels,

  coloredlogs,

  cryptography,

  dacite,

  deprecation,

  ecdsa,

  ipdb,

  mobly,

  pygobject3,

  inherit (home-assistant-chip-wheels) version;

  format = "wheel";

  disabled = pythonOlder "3.7";

  src = home-assistant-chip-wheels;

  # format=wheel needs src to be a wheel not a folder of wheels

    src=($src/home_assistant_chip_core*.whl)

  '';

  propagatedBuildInputs = [

  dependencies = [

    aenum

    coloredlogs

    construct

    cryptography

    dacite

    ecdsa

    rich

    pyyaml

    ipdb

      patch -p1 < $patch

    done

    # ecdsa is insecure and only used in tests

    patch -p1 < ${./dont-import-ecdsa.patch}

    # unpin dependencies

    # there are many files to modify, in different formats

    sed -i 's/==.*$//' third_party/pigweed/repo/pw_env_setup/py/pw_env_setup/virtualenv_setup/python_base_requirements.txt