guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/3] gnu: Add python-pyxb.

From: Ben Woodcroft
Subject: Re: [PATCH 2/3] gnu: Add python-pyxb.
Date: Fri, 23 Sep 2016 11:28:43 +1000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 


On 09/23/2016 01:15 AM, Marius Bakke wrote:

Ben Woodcroft <address@hidden> writes:


Subject: [PATCH 1/3] gnu: python-pysam: Update to 0.9.1.4.

I'm not sure whether this is a product of the upgrade or not, but I
notice this in the build log. I think it is harmless though, WDYT?

starting phase `validate-runpath'
validating RUNPATH of 10 binaries in
"/gnu/store/bpiq3lm6b1kpf54i1vj2dl09ff293wic-python-pysam-0.9.1.4/lib"...
/gnu/store/bpiq3lm6b1kpf54i1vj2dl09ff293wic-python-pysam-0.9.1.4/lib/python3.4/site-packages/pysam-0.9.1.4-py3.4-linux-x86_64.egg/pysam/libchtslib.cpython-34m.so:
warning: RUNPATH contains bogus entries: ("pysam" "."
"build/lib.linux-x86_64-3.4/pysam")

I don't see this in the previous version, so it is a regression.
However, it should be mostly harmless. Readelf reports (when compiled
with external htslib, see below):

  0x000000000000001d (RUNPATH)            Library runpath: 
[/gnu/store/m4gc2wx4q9if1vrhgclpspdil7rqsn21-python-3.4.3/lib:/gnu/store/ba22myqvxccwmmjwwq665rc43hanycxy-htslib-1.3.1/lib:build/lib.linux-x86_64-3.4/pysam:$ORIGIN:/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib:/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib/lib:/gnu/store/xl19qrfzga52vrvp4ncccwjlnrjqwj95-ncurses-6.0/lib:/gnu/store/5992iq1v7arqa14ym3di58n4la0893nv-zlib-1.2.8/lib:/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.3/../../..]

Compared to the runpath of the same file currently in Guix:

  0x000000000000001d (RUNPATH)            Library runpath: 
[/gnu/store/m4gc2wx4q9if1vrhgclpspdil7rqsn21-python-3.4.3/lib:/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib:/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib/lib:/gnu/store/xl19qrfzga52vrvp4ncccwjlnrjqwj95-ncurses-6.0/lib:/gnu/store/5992iq1v7arqa14ym3di58n4la0893nv-zlib-1.2.8/lib:/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.3/../../..]

If a folder named "$CWD/build/lib.linux-x86_64-3.4/pysam exists, it
could potentially allow for code injection, which is troubling.

I opened an issue on their tracker, but don't think it's worth holding
the patch: https://github.com/pysam-developers/pysam/issues/347

Thanks, I agree.




Also, I notice that pysam bundles htslib, bcftools and samtools C code.
Hopefully it should be straightforward enough to remove htslib as there
are install instructions, I'm not sure about the other two. This
shouldn't block the patch here, but would you mind taking a look?
http://pysam.readthedocs.io/en/latest/installation.html#installation

I had a go at this, and also enabled tests since I was reading the build
system anyway. Samtools and bcftools does not seem possible to un-bundle
at this time, but htslib was straightforward.
OK. I don't think it needs to be propagated though, right? Also, would you mind separating the change to modify-phases syntax and unbundling of htslib into two patches please? Other than that this whole series LGTM. 

Sorry, I keep asking one more thing..
ben
reply via email to
[Prev in Thread] Current Thread [Next in Thread]