resholve: strip unused libraries from python27

Strip unused libraries from resholve's own python27 derivation, further reducing its size and reducing its attack surface.
2022-12-14 22:38:33 +00:00 · 2022-12-14 22:38:33 +00:00 · 283ecac082
commit 283ecac082
parent 0e044e69e9
2 changed files with 65 additions and 2 deletions
--- a/pkgs/development/interpreters/python/cpython/2.7/default.nix
+++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix
@ -35,6 +35,7 @@
 , stripConfig ? false
 , stripIdlelib ? false
 , stripTests ? false
+, stripLibs ? [ ]
 , pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}"
 }:

@ -325,14 +326,22 @@ in with passthru; stdenv.mkDerivation ({
    '' + optionalString strip2to3 ''
      rm -R $out/bin/2to3 $out/lib/python*/lib2to3
    '' + optionalString stripConfig ''
-      rm -R $out/bin/python*-config $out/lib/python*/config-*
+      rm -R $out/bin/python*-config $out/lib/python*/config*
    '' + optionalString stripIdlelib ''
      # Strip IDLE
      rm -R $out/bin/idle* $out/lib/python*/idlelib
    '' + optionalString stripTests ''
      # Strip tests
      rm -R $out/lib/python*/test $out/lib/python*/**/test{,s}
-    '';
+    '' + (concatStringsSep "\n"
+          (map
+            (lib:
+              ''
+                rm -vR $out/lib/python*/${lib}
+                # libraries in dynload (C libraries) may not exist,
+                # but when they exist they may be prefixed with _
+                rm -vfR $out/lib/python*/lib-dynload/{,_}${lib}
+              '') stripLibs));

    enableParallelBuilding = true;

--- a/pkgs/development/misc/resholve/default.nix
+++ b/pkgs/development/misc/resholve/default.nix
@ -29,6 +29,60 @@ let
    stripConfig = true;
    stripIdlelib = true;
    stripTests = true;
+    stripLibs = [
+      # directories
+      "bsddb*"
+      "curses"
+      "compiler"
+      "ensurepip"
+      "hotshot"
+      "lib-tk"
+      "sqlite3"
+      # files
+      "aifc*"
+      "antigravity*"
+      "async*"
+      "*audio*"
+      "BaseHTTPServer*"
+      "Bastion*"
+      "binhex*"
+      "bdb*"
+      "CGIHTTPServer*"
+      "cgitb*"
+      "chunk*"
+      "colorsys*"
+      "dbhash*"
+      "dircache*"
+      "*dbm*"
+      "ftplib*"
+      "*hdr*"
+      "imaplib*"
+      "imputil*"
+      "MimeWriter*"
+      "mailbox*"
+      "mhlib*"
+      "mimify*"
+      "multifile*"
+      "netrc*"
+      "nntplib*"
+      "os2emxpath*"
+      "pyclbr*"
+      "pydoc*"
+      "SimpleHTTPServer*"
+      "sgmllib*"
+      "smtp*"
+      "ssl*"
+      "sun*"
+      "tabnanny*"
+      "telnetlib*"
+      "this*"
+      "wave*"
+      "webbrowser*"
+      "whichdb*"
+      "wsgiref*"
+      "xdrlib*"
+      "*XMLRPC*"
+    ];
    enableOptimizations = false;
  };
  callPackage = lib.callPackageWith (pkgs // { python27 = python27'; });