On 2022-02-03, Vagrant Cascadian wrote:
> Over the last several months, I and others have found quite a few
> packages that embed build paths via rpath when building with cmake. I
> found myself slowly edging into a mass bug filing, one bug report at a
> time...
>
> I ended up submitting a few pat
I don't know really where to add this bit of information in the discussion,
so I am taking the latest leaf.
The rpath trend, with or without cmake, is likely to continue as it is being
reborn by spack, nix and guix. The points made by smcv about arbitrary
code execution and reproducibility are inte
On 2022-02-04, Simon McVittie wrote:
> On Fri, 04 Feb 2022 at 13:07:53 +0800, Paul Wise wrote:
>> Vagrant Cascadian wrote:
>> > Over the last several months, I and others have found quite a few
>> > packages that embed build paths via rpath when building with cmake.
>>
>> This seems like the sort
On 2022-02-04, David Prévot wrote:
> Le 04/02/2022 à 08:58, Andreas Ronnquist a écrit :
>> On Thu, 03 Feb 2022 16:41:21 -0800,
>> Vagrant Cascadian wrote:
>
>>> If you're on the list, would love if you could check if your package
>>> still builds correctly when passing only
>>> -DCMAKE_BUILD_RPATH_
On Fri, Feb 04, 2022 at 10:49:43AM +, Simon McVittie wrote:
> CMake removes the RUNPATH
> just before installation, so it doesn't become a security problem,
> but that's too late to stop it from affecting the build-ID - and the
> *length* of the build directory can also affect the contents of t
On 2022-02-04, Seth Arnold wrote:
> On Thu, Feb 03, 2022 at 04:41:21PM -0800, Vagrant Cascadian wrote:
>> Over the last several months, I and others have found quite a few
>> packages that embed build paths via rpath when building with cmake. I
>> found myself slowly edging into a mass bug filing,
On 2022-02-04, Paul Wise wrote:
> Vagrant Cascadian wrote:
>
>> Over the last several months, I and others have found quite a few
>> packages that embed build paths via rpath when building with cmake.
>
> This seems like the sort of thing that will be an ongoing problem, so
> if it is detectable st
Hi,
Le 04/02/2022 à 08:58, Andreas Ronnquist a écrit :
On Thu, 03 Feb 2022 16:41:21 -0800,
Vagrant Cascadian wrote:
If you're on the list, would love if you could check if your package
still builds correctly when passing only
-DCMAKE_BUILD_RPATH_USE_ORIGIN=ON. For a few of the packages, ther
On Thu, 03 Feb 2022 16:41:21 -0800,
Vagrant Cascadian wrote:
>
>I've attached a list of the maintainers of affected packages produced
>with dd-list, getting the list of packages from the above-mentioned
>reproducible builds issue and diff.dcsr.txt from archive rebuild.
>
>If you're on the list, wou
On 04/02/2022 11:58, Simon McVittie wrote:
For packages where the RPATH or RUNPATH is temporarily set during build
(to be able to run unit tests without setting LD_LIBRARY_PATH) but then
removed before installation with `chrpath -d` or equivalent code in CMake,
I don't think this is going to be d
On Fri, 04 Feb 2022 at 13:07:53 +0800, Paul Wise wrote:
> Vagrant Cascadian wrote:
> > Over the last several months, I and others have found quite a few
> > packages that embed build paths via rpath when building with cmake.
>
> This seems like the sort of thing that will be an ongoing problem, so
On Fri, 04 Feb 2022 at 02:23:54 +, Seth Arnold wrote:
> does this represent a security problem?
"It depends". (This answer is not specific to CMake, it's equally valid
for any build system.)
If the RPATH or RUNPATH points to a trusted directory where write access
would require root-equivalent
Vagrant Cascadian wrote:
> Over the last several months, I and others have found quite a few
> packages that embed build paths via rpath when building with cmake.
This seems like the sort of thing that will be an ongoing problem, so
if it is detectable statically then a lintian warning might be g
On Thu, Feb 03, 2022 at 04:41:21PM -0800, Vagrant Cascadian wrote:
> Over the last several months, I and others have found quite a few
> packages that embed build paths via rpath when building with cmake. I
> found myself slowly edging into a mass bug filing, one bug report at a
> time...
Hello V
14 matches
Mail list logo
