python310Packages.cleo: 1.0.0a5 -> 2.0.1

[dotlambda]

Description of changes

fixes CVE-2022-42966
https://github.com/python-poetry/cleo/blob/2.0.1/CHANGELOG.md

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.11 Release Notes (or backporting 22.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[LeSuisse]

Not sure we can merge this yet, it breaks Poetry because the released version expects to have cleo >=1.0.0a5 and < 2.0.0. There is an unreleased upstream change for that python-poetry/poetry@14b7f1e

This is likely to cause a bunch of issues for Poetry/poetry2nix users.
Maybe we could pull in the patch directly for the time being? python-poetry/cleo#285

[LeSuisse]

Yep but it will break a bunch of packages. I do not have the resources to do a full nixpkgs-review run right now but a partial run shows a bunch of issues:

error: builder for '/nix/store/z5rkz9mpc3373mqg2ak2ixncfx91pssp-python3.10-poetry-1.2.2.drv' failed with exit code 1;
       last 10 log lines:
       > Requirement already satisfied: requests-toolbelt<0.10.0,>=0.9.1 in /nix/store/g6klr9lgfrkxf7wkdsf7r9pc39n45hgd-python3.10-requests-toolbelt-0.9.1/lib/python3.10/site-packages (from poetry==1.2.2) (0.9.1)
       > Requirement already satisfied: pexpect<5.0.0,>=4.7.0 in /nix/store/lxinahd9qhdzmqia3493mrgkqh3ingig-python3.10-pexpect-4.8.0/lib/python3.10/site-packages (from poetry==1.2.2) (4.8.0)
       > Requirement already satisfied: poetry-core==1.3.2 in /nix/store/y7m62x2v20cxga1vpqr7kmbgc6nibs5s-python3.10-poetry-core-1.3.2/lib/python3.10/site-packages (from poetry==1.2.2) (1.3.2)
       > Requirement already satisfied: shellingham<2.0,>=1.5 in /nix/store/2qskk48bga2hpwcy2bpp9idcx9bf370q-python3.10-shellingham-1.5.0/lib/python3.10/site-packages (from poetry==1.2.2) (1.5.0)
       > Requirement already satisfied: requests<3.0,>=2.18 in /nix/store/msn1w5hapjnckz4dnkjpmjwp88421a5z-python3.10-requests-2.28.1/lib/python3.10/site-packages (from poetry==1.2.2) (2.28.1)
       > Requirement already satisfied: jsonschema<5.0.0,>=4.10.0 in /nix/store/cxn5s0s9zgh0czm8w85wwi3rjpvnfk2c-python3.10-jsonschema-4.17.0/lib/python3.10/site-packages (from poetry==1.2.2) (4.17.0)
       > Requirement already satisfied: pkginfo<2.0,>=1.5 in /nix/store/qnnhxhsylg7m63blsy13wk86z6xivn17-python3.10-pkginfo-1.8.3/lib/python3.10/site-packages (from poetry==1.2.2) (1.8.3)
       > ERROR: Could not find a version that satisfies the requirement cleo<2.0.0,>=1.0.0a5 (from poetry) (from versions: none)
       > ERROR: No matching distribution found for cleo<2.0.0,>=1.0.0a5
       > 
       For full logs, run 'nix log /nix/store/z5rkz9mpc3373mqg2ak2ixncfx91pssp-python3.10-poetry-1.2.2.drv'.
error: 1 dependencies of derivation '/nix/store/44nbpzw1i0h7n23p6nxb412mlcf65pm6-cmake-language-server-0.1.6.drv' failed to build
error: 1 dependencies of derivation '/nix/store/x4kvablv4h9lcm2jrfqpvxzdrww9rjwj-commitizen-2.37.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/hyzpbhllfslagkay8gnps8a74v7wirjr-poetry2conda-0.3.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/hck7hrbv7kpa7fmj7cywlzql9mxdjjyk-python3.10-aioeafm-1.0.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/hw2x4kwa55kx4hqmfal0q9r45snw9849-python3.10-aioeafm-1.0.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/5i657qdzihs5gmvipx4apyigxccxx0fx-python3.10-aria2p-0.9.1.drv' failed to build
error: 1 dependencies of derivation '/nix/store/m727mvcmkgfvq2cfj40v0vrbrpnl2ycn-python3.10-expecttest-0.1.3.drv' failed to build
error: 1 dependencies of derivation '/nix/store/a3mx88kfa3ry1jh6fphrh0agcnp34d6a-python3.10-hypothesis-auto-1.1.4.drv' failed to build
error: 1 dependencies of derivation '/nix/store/gr2vjq4cay7jifk516wkqlm8f1v0bjjm-python3.10-jedi-language-server-0.37.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/bgkivwx5jxz94ymdhdkgqwgvkx4wx3ng-python3.10-pipenv-poetry-migrate-0.2.1.drv' failed to build
error: 1 dependencies of derivation '/nix/store/b1agvxw454vkh3q69fc6kdkalanc38zz-python3.10-pyairnow-1.1.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/s12v2dbavb70wa1qm40sc3qynhdsdvh2-python3.10-pyairnow-1.1.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/45agyarfc41m9d4wsym7q320ynx1a7cj-python3.10-pytest-golden-0.2.2.drv' failed to build
error: 1 dependencies of derivation '/nix/store/v57q4d9ijmg8qx6qfbxnlcsfhxa197kw-python3.10-strawberry-graphql-0.125.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/8lazf3b1311s6xqi612a5ld3pl4fgchf-homeassistant-test-airnow-2022.11.4.drv' failed to build
error: 1 dependencies of derivation '/nix/store/3hamkasyvk015q6bnhacgv92nsgin0dr-homeassistant-test-eafm-2022.11.4.drv' failed to build
error: 1 dependencies of derivation '/nix/store/36bjqd4rrvwchpvi1rz2w0rjff5bqyv2-python3.10-functorch-0.2.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/a7i729ib816n2c1m9p4f8ayrzf9aqf2f-python3.10-ical-4.1.1.drv' failed to build
error: 1 dependencies of derivation '/nix/store/p11qvs4agxrl75dqn3fsfi0kfmf17qw7-streamdeck-ui-2.0.6.drv' failed to build
error: 1 dependencies of derivation '/nix/store/2adand7d4i7a4j1y424g69q5bkvswqn8-vscode-extension-ms-python-python-2022.17.13011006.drv' failed to build
error: 1 dependencies of derivation '/nix/store/n184plx7npip0phbdqkk8zyxrxsay10f-ycmd-unstable-2022-08-15.drv' failed to build
error: 1 dependencies of derivation '/nix/store/aiv0y4wgwr9g203mi79mxyq62qsznyyp-python3.10-gcal-sync-4.0.3.drv' failed to build
error: 1 dependencies of derivation '/nix/store/sc1lb9q9649dcb37pzxvsb53kpsih98n-python3.10-gcal-sync-4.0.3.drv' failed to build
error: 1 dependencies of derivation '/nix/store/xj4pz8947k9368kqgirqyxdf4knzsm76-vimplugin-YouCompleteMe-2022-11-19.drv' failed to build
error: 1 dependencies of derivation '/nix/store/sx1kdkfvayp0mmbgbzr83cakxsvvi49s-homeassistant-test-google-2022.11.4.drv' failed to build
error: builder for '/nix/store/5fn5whs8ipfdjn8nf01dgf8zgpg3kvy3-python3.10-pyatv-0.10.3.drv' failed with exit code 1;
       last 10 log lines:
       >   /build/source/tests/protocols/raop/test_raop_functional.py:484: DeprecationWarning: Call to deprecated function volume_down.
       >     await volume_interface.volume_down()
       >
       > -- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
       > =========================== short test summary info ============================
       > FAILED tests/protocols/mrp/test_mrp_auth.py::MrpAuthFunctionalTest::test_authentication
       > FAILED tests/protocols/mrp/test_mrp_auth.py::MrpAuthFunctionalTest::test_pairing_with_bad_pin
       > FAILED tests/protocols/mrp/test_mrp_auth.py::MrpAuthFunctionalTest::test_pairing_with_device
       > FAILED tests/protocols/mrp/test_mrp_auth.py::MrpAuthFunctionalTest::test_pairing_with_existing_credentials
       > =========== 4 failed, 995 passed, 1 skipped, 288 warnings in 11.97s ============
       For full logs, run 'nix log /nix/store/5fn5whs8ipfdjn8nf01dgf8zgpg3kvy3-python3.10-pyatv-0.10.3.drv'.
error: builder for '/nix/store/ianwyyi9m3shcx3y22127h676qrj1fb2-python3.9-poetry-1.2.2.drv' failed with exit code 1;
       last 10 log lines:
       > Successfully built poetry
       > Finished creating a wheel...
       > Finished executing pipBuildPhase
       > installing
       > Executing pipInstallPhase
       > /build/source/dist /build/source
       > Processing ./poetry-1.2.2-py3-none-any.whl
       > ERROR: Could not find a version that satisfies the requirement cleo<2.0.0,>=1.0.0a5 (from poetry) (from versions: none)
       > ERROR: No matching distribution found for cleo<2.0.0,>=1.0.0a5
       > 
       For full logs, run 'nix log /nix/store/ianwyyi9m3shcx3y22127h676qrj1fb2-python3.9-poetry-1.2.2.drv'.

At least for the backports will probably need to apply the patch to limit the potential breakages.

[dotlambda]

Instead of python310Packages.poetry people should really be using python310Packages.poetry-core so it's fine if that breaks.

At least for the backports will probably need to apply the patch to limit the potential breakages.

Agreed.

@abbradar poetry as packaged by poetry2nix is also affected by this CVE. Please fix.

[risicle]

poetry and poetry2conda are the only packages still failing for me, aarch64-linux.

[mweinelt]

Instead of python310Packages.poetry people should really be using python310Packages.poetry-core so it's fine if that breaks.

They're not quite the same thing though. One is a CLI interface, the other is a build library.

[dotlambda]

Instead of python310Packages.poetry people should really be using python310Packages.poetry-core so it's fine if that breaks.

They're not quite the same thing though. One is a CLI interface, the other is a build library.

True, but poetry is also the CLI and isn't broken (yet).

[Shawn8901]

I did have to patch some packages i just use in a private project to use the core.mansory api, to make them usable with poetry-core.

  postPatch = ''
    substituteInPlace pyproject.toml \
      --replace 'build-backend = "poetry.masonry.api"' 'build-backend = "poetry.core.masonry.api"'
  '';

Just in case someone else comes around here.