From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ben Woodcroft <b.woodcroft@uq.edu.au>
Subject: Re: [PATCH 2/3] gnu: Add python-pyxb.
Date: Fri, 23 Sep 2016 11:28:43 +1000
Message-ID: <03badac9-3d2d-25ad-b0ed-3695d8a70bc7@uq.edu.au>
References: <20160917101047.4597-1-mbakke@fastmail.com>
	<20160917101047.4597-3-mbakke@fastmail.com>
	<3bd16b58-b3d1-d47c-2433-c3a721681463@uq.edu.au>
	<39d81c47-a96d-1f1c-ad1d-a80e7b7f109d@uq.edu.au>
	<1a9d61d6-0ee2-1161-25b4-9ffd32396039@uq.edu.au>
	<87h999ymzk.fsf@ike.i-did-not-set--mail-host-address--so-tickle-me>
	<679cc096-9eed-152f-0a01-f4a1d85c422e@uq.edu.au>
	<87eg4cyni4.fsf@ike.i-did-not-set--mail-host-address--so-tickle-me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52893)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <b.woodcroft@uq.edu.au>) id 1bnFIQ-00077T-Kv
	for guix-devel@gnu.org; Thu, 22 Sep 2016 21:29:00 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <b.woodcroft@uq.edu.au>) id 1bnFIN-0006gV-Ec
	for guix-devel@gnu.org; Thu, 22 Sep 2016 21:28:58 -0400
Received: from mailhub1.soe.uq.edu.au ([130.102.132.208]:50019
	helo=newmailhub.uq.edu.au) by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <b.woodcroft@uq.edu.au>) id 1bnFIM-0006aM-S3
	for guix-devel@gnu.org; Thu, 22 Sep 2016 21:28:55 -0400
In-Reply-To: <87eg4cyni4.fsf@ike.i-did-not-set--mail-host-address--so-tickle-me>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Marius Bakke <mbakke@fastmail.com>, "guix-devel@gnu.org" <guix-devel@gnu.org>



On 09/23/2016 01:15 AM, Marius Bakke wrote:
> Ben Woodcroft <b.woodcroft@uq.edu.au> writes:
>
>>> Subject: [PATCH 1/3] gnu: python-pysam: Update to 0.9.1.4.
>> I'm not sure whether this is a product of the upgrade or not, but I
>> notice this in the build log. I think it is harmless though, WDYT?
>>
>> starting phase `validate-runpath'
>> validating RUNPATH of 10 binaries in
>> "/gnu/store/bpiq3lm6b1kpf54i1vj2dl09ff293wic-python-pysam-0.9.1.4/lib"...
>> /gnu/store/bpiq3lm6b1kpf54i1vj2dl09ff293wic-python-pysam-0.9.1.4/lib/python3.4/site-packages/pysam-0.9.1.4-py3.4-linux-x86_64.egg/pysam/libchtslib.cpython-34m.so:
>> warning: RUNPATH contains bogus entries: ("pysam" "."
>> "build/lib.linux-x86_64-3.4/pysam")
> I don't see this in the previous version, so it is a regression.
> However, it should be mostly harmless. Readelf reports (when compiled
> with external htslib, see below):
>
>   0x000000000000001d (RUNPATH)            Library runpath: [/gnu/store/m4gc2wx4q9if1vrhgclpspdil7rqsn21-python-3.4.3/lib:/gnu/store/ba22myqvxccwmmjwwq665rc43hanycxy-htslib-1.3.1/lib:build/lib.linux-x86_64-3.4/pysam:$ORIGIN:/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib:/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib/lib:/gnu/store/xl19qrfzga52vrvp4ncccwjlnrjqwj95-ncurses-6.0/lib:/gnu/store/5992iq1v7arqa14ym3di58n4la0893nv-zlib-1.2.8/lib:/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.3/../../..]
>
> Compared to the runpath of the same file currently in Guix:
>
>   0x000000000000001d (RUNPATH)            Library runpath: [/gnu/store/m4gc2wx4q9if1vrhgclpspdil7rqsn21-python-3.4.3/lib:/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib:/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib/lib:/gnu/store/xl19qrfzga52vrvp4ncccwjlnrjqwj95-ncurses-6.0/lib:/gnu/store/5992iq1v7arqa14ym3di58n4la0893nv-zlib-1.2.8/lib:/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib/lib/gcc/x86_64-unknown-linux-gnu/4.9.3/../../..]
>
> If a folder named "$CWD/build/lib.linux-x86_64-3.4/pysam exists, it
> could potentially allow for code injection, which is troubling.
>
> I opened an issue on their tracker, but don't think it's worth holding
> the patch: https://github.com/pysam-developers/pysam/issues/347
Thanks, I agree.

>
>> Also, I notice that pysam bundles htslib, bcftools and samtools C code.
>> Hopefully it should be straightforward enough to remove htslib as there
>> are install instructions, I'm not sure about the other two. This
>> shouldn't block the patch here, but would you mind taking a look?
>> http://pysam.readthedocs.io/en/latest/installation.html#installation
> I had a go at this, and also enabled tests since I was reading the build
> system anyway. Samtools and bcftools does not seem possible to un-bundle
> at this time, but htslib was straightforward.
OK. I don't think it needs to be propagated though, right? Also, would 
you mind separating the change to modify-phases syntax and unbundling of 
htslib into two patches please? Other than that this whole series LGTM.

Sorry, I keep asking one more thing..
ben