On 09/23/2016 01:15 AM, Marius Bakke wrote:
Ben Woodcroft <b.woodcr...@uq.edu.au> writes:
Subject: [PATCH 1/3] gnu: python-pysam: Update to 0.9.1.4.
I'm not sure whether this is a product of the upgrade or not, but I
notice this in the build log. I think it is harmless though, WDYT?
starting phase `validate-runpath'
validating RUNPATH of 10 binaries in
"/gnu/store/bpiq3lm6b1kpf54i1vj2dl09ff293wic-python-pysam-0.9.1.4/lib"...
/gnu/store/bpiq3lm6b1kpf54i1vj2dl09ff293wic-python-pysam-0.9.1.4/lib/python3.4/site-packages/pysam-0.9.1.4-py3.4-linux-x86_64.egg/pysam/libchtslib.cpython-34m.so:
warning: RUNPATH contains bogus entries: ("pysam" "."
"build/lib.linux-x86_64-3.4/pysam")
I don't see this in the previous version, so it is a regression.
However, it should be mostly harmless. Readelf reports (when compiled
with external htslib, see below):
0x000000000000001d (RUNPATH) Library runpath:
[/gnu/store/m4gc2wx4q9if1vrhgclpspdil7rqsn21-python-3.4.3/lib:/gnu/store/ba22myqvxccwmmjwwq665rc43hanycxy-htslib-1.3.1/lib:build/lib.linux-x86_64-3.4/pysam:$ORIGIN:/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib:/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib/lib:/gnu/store/xl19qrfzga52vrvp4ncccwjlnrjqwj95-ncurses-6.0/lib:/gnu/store/5992iq1v7arqa14ym3di58n4la0893nv-zlib-1.2.8/lib:/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.3/../../..]
Compared to the runpath of the same file currently in Guix:
0x000000000000001d (RUNPATH) Library runpath:
[/gnu/store/m4gc2wx4q9if1vrhgclpspdil7rqsn21-python-3.4.3/lib:/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib:/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib/lib:/gnu/store/xl19qrfzga52vrvp4ncccwjlnrjqwj95-ncurses-6.0/lib:/gnu/store/5992iq1v7arqa14ym3di58n4la0893nv-zlib-1.2.8/lib:/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.3/../../..]
If a folder named "$CWD/build/lib.linux-x86_64-3.4/pysam exists, it
could potentially allow for code injection, which is troubling.
I opened an issue on their tracker, but don't think it's worth holding
the patch: https://github.com/pysam-developers/pysam/issues/347
Thanks, I agree.
Also, I notice that pysam bundles htslib, bcftools and samtools C code.
Hopefully it should be straightforward enough to remove htslib as there
are install instructions, I'm not sure about the other two. This
shouldn't block the patch here, but would you mind taking a look?
http://pysam.readthedocs.io/en/latest/installation.html#installation
I had a go at this, and also enabled tests since I was reading the build
system anyway. Samtools and bcftools does not seem possible to un-bundle
at this time, but htslib was straightforward.
OK. I don't think it needs to be propagated though, right? Also, would
you mind separating the change to modify-phases syntax and unbundling of
htslib into two patches please? Other than that this whole series LGTM.
Sorry, I keep asking one more thing..
ben
