Convert remaining python2 applications over to python3

[jonringer]

In #101929 we have many important programs (e.g. cachix) still using python2 in their builds. This list doesn't constitute python2 applications, but rather packages which have python2Packages.cryptography somewhere in their dependency graph. So these will be affected when python2Packages.cryptography does get marked as vulnerable.

This issue to track the conversion process over to python3, packages still needing to be converted are listed below. This list isn't exhaustive, just those that use the soon-to-be-marked-vulnerable pythonPackages.cryptography:

Finding the dependency

For most dependencies, it should be pretty obvious where python2 comes from, for more "difficult" packages. You may need to do some digging.

nix-tree + nix-instantiate

you can run nix-shell -p nix-tree --run "nix-tree $(nix-instantiate default.nix -A <package>) to get the entire build dependency tree, then search for the cryptography package, and then you should be able to trace which dependencies are introducing it.

nix why-depends

alternatively, you can use nix why-depends
nix why-depends --all -f default.nix <package> python2Packages.cryptography can also be used, however, this will require you to re-build the package, which may take more time than parsing the dependency tree above

• alibuild alibuild: use python3 #102111
• amazon-glacier-cmd-interface
• aria2 yle-dl: 2.31 -> 20200807 #100191
• asciidoc-full-with-plugins [staging] asciidoc: 8.6.9 -> 9.0.4 #102398
• babashka (through graal)
• broadlink-cli broadlink-cli: 0.9.0 -> 0.15.0 and use python3 #102162
• buttersink (packaging doesn't work with python3)
• cachix
• carddav (currently, upstream only offers python2)
• CastXML CastXML: refactor to avoid python2 dependency #101996
• check-esxi-hardware
• clj-kondo (through graal)
• cloudmonkey no longer a python package
• csv_fast_export csv_fast_export: use python3 #102375
• datadog-agent datadog-agent: 6.11.2 -> 7.30.2 #136109
• dd-agent removed
• euca2ools (currently, upstream only offers python2)
• gdown
• git-review
• glslviewer glslviewer: 2019-04-22 -> 1.6.8, use python3 #102365
• gnss-sdr - taken cared of in gnuradio: rewrite #99685
• gnuradio - taken cared of in gnuradio: rewrite #99685
• gnuradio-with-packages - taken cared of in gnuradio: rewrite #99685
• google-app-engine-go-sdk
• google-cloud-sdk
• google-compute-engine
• gqrx - taken cared of in gnuradio: rewrite #99685
• gr-ais - taken cared of in gnuradio: rewrite #99685
• gr-gsm - taken cared of in gnuradio: rewrite #99685
• gr-limesdr - taken cared of in gnuradio: rewrite #99685
• gr-nacl - taken cared of in gnuradio: rewrite #99685
• gr-osmosdr - taken cared of in gnuradio: rewrite #99685
• gr-rds - taken cared of in gnuradio: rewrite #99685
• graal
• haxor-news haxor-news: use python3, fix build #102391
• hercules-ci-agent
• inspectrum - taken cared of in gnuradio: rewrite #99685
• jvmci
• kodi-plugin-yatp
• mercurial
• mx (not sure which package this is, likely related to graal though)
• mysql-workbench mysql-workbench: 8.0.21 -> 8.0.30 #191174
• ndn-cxx ndn-cxx: 0.6.3 -> 0.7.1 #102248
• nixops (currently, upstream only offers python2) Release 2.0 old tracking issue nixops#1242
• ocropus (currently, upstream only offers python2)
• opae
• ovito python3Packages.ovito: 3.0.0 -> 3.3.1 #102250
• pantsbuild.pants (already broken)
• persepolis
• pipreqs pipreqs: use python3 #102389
• pulseaudio-dlna-unstable (in progress, https://github.com/masmu/pulseaudio-dlna/tree/python3 , but not in releasable state)
• pyside-apiextractor
• pyside-generatorrunner
• python3.7-aria2p yle-dl: 2.31 -> 20200807 #100191
• python3.7-pygccxml CastXML: refactor to avoid python2 dependency #101996
• python3.7-pyside
• python3.7-pyside-shiboken
• python3.7-pyside-tools
• python3.8-aria2p yle-dl: 2.31 -> 20200807 #100191
• python3.8-pygccxml CastXML: refactor to avoid python2 dependency #101996
• python3.8-pyside
• python3.8-pyside-shiboken
• python3.8-pyside-tools
• qradiolink - taken cared of in gnuradio: rewrite #99685
• rabbitvcs (in progress) Refactor rabbitvcs #102378
• rmlint
• sage [WIP] sage: 8.9 -> 9.2 #101447 sage: 8.9 -> 9.2 #105615
• smugline removed: pythonPackages.smugline,pythonPackages.smugpy: remove #102610
• trac (currently, upstream only offers python2)
• tsung Support python3: print statement has been replaced with a function processone/tsung#352
• uget
• uget-integrator
• uutils-coreutils uutils-coreutils: Use Python3 sphinx for docs #102247
• wal-e wal_e: 0.6.10 -> 1.1.1 #102264
• yle-dl
• yoda
• zabbix-cli (currently, upstream only offers python2)

[SuperSandro2000]

 python3.7-aria2p
 python3.7-pygccxml
 python3.7-pyside
 python3.7-pyside-shiboken
 python3.7-pyside-tools
 python3.8-aria2p
 python3.8-pygccxml
 python3.8-pyside
 python3.8-pyside-shiboken
 python3.8-pyside-tools

Why are those in this list? Do they have a python2 variant?

[jonringer]

not entirely sure. It could be that some library they use, uses python2 to do something like generate docs. So they aren't directly using python2 packages.

[primeos]

Why are those in this list? Do they have a python2 variant?

I assume those are mostly cases of Python 3 packages that depend on some non-Python package that in turn depends on some Python 2 package (e.g. python3Packages.aria2p -> aria2 -> ... -> python27Packages.cryptography).

The following can help to navigate the dependency trees more efficiently (/ to search for the Python 2 cryptography and then h to navigate up in the dependency tree):

$ nix-tree $(nix-instantiate -A python3Packages.aria2p)

---

Should I try to write a script (or does someone already know/have one) to ping the maintainers of the affected packages?

[SuperSandro2000]

then h to navigate up in the dependency tree):

The root is on the left and then use vim style key bindings or arrow keys.

[domenkozar]

cachix fixed in 59c53bc