From 22419c93cd3a2290a6d53b70201a702847e47275 Mon Sep 17 00:00:00 2001
From: Alvar Penning <post@0x21.biz>
Date: Sat, 9 Apr 2022 14:01:21 +0200
Subject: [PATCH] weechat-otr: Fix build and knownVulnerabilities

First, this closes #167972 by explicitly disabling Python tests for the
backported pycrypto library. Those tests were written for Python 2 only.

Furthermore, the meta.knownVulnerabilities attribute was added as the
last weechat-otr upstream release was in 2018-03 [0] and the backported
Debian package of pycrypto is from 2020-04 [1]. As there are no known
vulnerabilities for weechat-otr itself, pycrypto "is unmaintained,
obsolete, and contains security vulnerabilities" [2]. Even with Debian's
patches, this is no good situation.

As weechat-otr being a security and privacy related software, it should
be made obvious, that its code base is old and unmaintained.

[0] https://github.com/mmb/weechat-otr/releases/tag/v1.9.2
[1] https://salsa.debian.org/sramacher/python-crypto/-/tags/debian%2F2.6.1-13.1
[2] https://www.pycrypto.org/
---
 .../networking/irc/weechat/scripts/weechat-otr/default.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkgs/applications/networking/irc/weechat/scripts/weechat-otr/default.nix b/pkgs/applications/networking/irc/weechat/scripts/weechat-otr/default.nix
index 987271e4ffa..fd5f376ad26 100644
--- a/pkgs/applications/networking/irc/weechat/scripts/weechat-otr/default.nix
+++ b/pkgs/applications/networking/irc/weechat/scripts/weechat-otr/default.nix
@@ -24,6 +24,9 @@ let
 
     buildInputs = [ gmp ];
 
+    # Tests are relying on old Python 2 modules.
+    doCheck = false;
+
     preConfigure = ''
       sed -i 's,/usr/include,/no-such-dir,' configure
       sed -i "s!,'/usr/include/'!!" setup.py
@@ -66,5 +69,9 @@ in stdenv.mkDerivation rec {
     license = licenses.gpl3;
     maintainers = with maintainers; [ oxzi ];
     description = "WeeChat script for Off-the-Record messaging";
+    knownVulnerabilities = [
+      "There is no upstream release since 2018-03."
+      "Utilizes deprecated and vulnerable pycrypto library with Debian patches from 2020-04."
+    ];
   };
 }