From 2c0f345a6df913c1a532c407fe4b8fa4445dafdb Mon Sep 17 00:00:00 2001 From: Mohammad Akhlaghi Date: Wed, 17 Jun 2020 02:08:02 +0100 Subject: New target --dist-software to package all necessary software tarballs When publishing a project, it is necessary to also publish the source code of all necessary software of the project. We had recently added a new './project make' target called 'dist-software' for this job, but had forgotten to add it in the output of './project --help'! There was also a small bug inside of it that didn't allow the successful copying of the created tarball to the top project directory. With this commit, an explanation for this target has been added in the output of './project --help' and that bug has been fixed. --- reproduce/analysis/make/initialize.mk | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'reproduce/analysis') diff --git a/reproduce/analysis/make/initialize.mk b/reproduce/analysis/make/initialize.mk index acc527d..b2185e2 100644 --- a/reproduce/analysis/make/initialize.mk +++ b/reproduce/analysis/make/initialize.mk @@ -380,19 +380,15 @@ dist-zip: $(project-package-contents) # Package the software tarballs. dist-software: curdir=$$(pwd) + dirname=software-$(project-commit-hash) cd $(BDIR) - if [ -d .git ]; then - dirname="software-$$(git describe --dirty --always --long)" - else - dirname="software-NOGIT"; - fi mkdir $$dirname cp -L software/tarballs/* $$dirname/ tar -cf $$dirname.tar $$dirname gzip -f --best $$dirname.tar rm -rf $$dirname cd $$curdir - mv $(BDIR)/$$dir.tar.gz ./ + mv $(BDIR)/$$dirname.tar.gz ./ -- cgit v1.2.1 From 1a4066d086222ef88ba5dd9473da6b036775d014 Mon Sep 17 00:00:00 2001 From: Boud Roukema Date: Tue, 16 Jun 2020 00:42:35 +0200 Subject: Security risk of LaTeX's -shell-escape option explained in comment The 'pdflatex' program is used to build the default Maneage-branch paper. But since the default paper uses PGFPlots to build the figures within LaTeX as an external PDF, PGFPlots requires 'pdflatex' to be called with the '-shell-escape' option. Generally, this option can be considered as a security risk (in particular when 'pdflatex' is being run by an external LaTeX file: a malicious LaTeX writer may embed commands in the LaTeX source that will be executed on the host if this option is present). This is not too serious of an issue in Maneage, because when someone runs Maneage, they intentionally let it run many on their system. Hence if someone wants to exploit a host system, they can add the necessary commands long before 'pdflatex' is run. After all, all commands in Maneage are run with the calling user's permissions, hence they have access to many parts of the user's accounts. If someone is worried about security on a non-trusted Maneage project they should act the same as they do with any software: define a new user for it, and call it with that user (as a weak-level security), or run it in a virtual machine or container. However, since this option has been explicity mentioned as a security risk before, it helps if we have a comment explaining its usage in 'paper.mk'. With this commit, the concerned user will read a brief explanation and can read the brief discussion at [1] and possibly re-open the discussion or propose ways of mitigating the security risk(s). [1] https://savannah.nongnu.org/task/?15694 --- reproduce/analysis/make/paper.mk | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'reproduce/analysis') diff --git a/reproduce/analysis/make/paper.mk b/reproduce/analysis/make/paper.mk index 226a37d..5227e55 100644 --- a/reproduce/analysis/make/paper.mk +++ b/reproduce/analysis/make/paper.mk @@ -100,6 +100,13 @@ $(texbdir)/paper.bbl: tex/src/references.tex $(mtexdir)/dependencies-bib.tex \ p=$$(pwd) export TEXINPUTS=$$p: cd $(texbdir); + + # The pdflatex option '-shell-escape' is "normally disallowed for + # security reasons" according to the `info pdflatex' manual, but + # is enabled here in order to allow the use of PGFPlots. If you + # do not use PGFPlots, then you should remove the `-shell-escape' + # option for better security. See + # https://savannah.nongnu.org/task/?15694 for details. pdflatex -shell-escape -halt-on-error $$p/paper.tex biber paper @@ -127,6 +134,8 @@ paper.pdf: $(mtexdir)/project.tex paper.tex $(texbdir)/paper.bbl p=$$(pwd) export TEXINPUTS=$$p: cd $(texbdir) + # See above for a warning and brief discussion on the the + # pdflatex option `-shell-escape'. pdflatex -shell-escape -halt-on-error $$p/paper.tex # Come back to the top project directory and copy the built PDF -- cgit v1.2.1 From 4785b459b8c31ae11b8974724ccbf2723e001d75 Mon Sep 17 00:00:00 2001 From: Raul Infante-Sainz Date: Fri, 19 Jun 2020 12:12:15 +0100 Subject: Removing preparation-done.mk when cleaning by ./project make clean Until this commit, the file `BDIR/software/preparation-done.mk' were not removed when cleaning the project with `./project make clean'. This file is generated in the preparation of the data during the analysis step. However, the cleaning is expected to remove anything generated in the analysis process! Step by step, with the commands: ./project make ---> Will make the preparation and analysis ./project make clean ---> Will remove all analysis outputs (but not `preparation-done.mk') ./project make ---> Won't do the preparation, only analysis! However, in the last step it should do the preparation again, because the input data could have change for any reason. With this commit, the file `BDIR/software/preparation-done.mk' is removed when cleaning the project, and consequently, in the analysis step the input data is prepared. --- reproduce/analysis/make/initialize.mk | 1 + 1 file changed, 1 insertion(+) (limited to 'reproduce/analysis') diff --git a/reproduce/analysis/make/initialize.mk b/reproduce/analysis/make/initialize.mk index b2185e2..47e6712 100644 --- a/reproduce/analysis/make/initialize.mk +++ b/reproduce/analysis/make/initialize.mk @@ -242,6 +242,7 @@ clean: clean-mmap rm -rf $(BDIR)/tex/macros/!(dependencies.tex|dependencies-bib.tex) rm -rf $(BDIR)/!(software|tex) $(BDIR)/tex/!(macros|$(texbtopdir)) rm -rf $(BDIR)/tex/build/!(tikz) $(BDIR)/tex/build/tikz/* + rm -rf $(BDIR)/software/preparation-done.mk distclean: clean # Without cleaning the Git hooks, we won't be able to easily -- cgit v1.2.1