aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMohammad Akhlaghi <mohammad@akhlaghi.org>2019-08-22 22:38:03 +0530
committerMohammad Akhlaghi <mohammad@akhlaghi.org>2019-08-22 22:38:03 +0530
commit2a1c2f23f21aab460292ede7f9091968a4ac922b (patch)
treeaedd7f6baf05abad6f833cb6e64017fc0680b2fa
parent0980667fe8d08596b107cb19ab57563c66cea221 (diff)
OpenMPI environment variable used to disable need for OpenSSH
Until now, OpenMPI would complain about not having `ssh' or `rsh' as a remote shell feature. However, such features should not be necessary in a reproducible scenario and they also have major security issues. With this commit, we are now using OpenMPI's `OMPI_MCA_plm_rsh_agent' environment variable to disable any remote shell dependency for it (as suggested by Boud). Therefore, any dependency for OpenSSH has been removed. But I thought to keep the build instructions incase it may be useful under some un-foreseen scenario. However, to discourage people from building it, a notice was added ontop of the build instructions. This bug was found, tested and solved thanks to Roberto Baena Gallé and Boud Roukema. This fixes bug #56724.
-rw-r--r--reproduce/analysis/make/initialize.mk6
-rw-r--r--reproduce/software/make/high-level.mk8
2 files changed, 11 insertions, 3 deletions
diff --git a/reproduce/analysis/make/initialize.mk b/reproduce/analysis/make/initialize.mk
index 3b29b80..644efe4 100644
--- a/reproduce/analysis/make/initialize.mk
+++ b/reproduce/analysis/make/initialize.mk
@@ -120,13 +120,17 @@ export LD_LIBRARY_PATH := $(installdir)/lib
# causes crashs (see bug #56682). So we'll just give it no value at all.
export DYLD_LIBRARY_PATH :=
+# OpenMPI can depend on an existing `ssh' or `rsh' binary. However, because
+# of security reasons, its best to not install them, disable any
+# remote-shell accesss through this environment variable.
+export OMPI_MCA_plm_rsh_agent=/bin/false
+
# Recipe startup script, see `reproduce/software/bash/bashrc.sh'.
export PROJECT_STATUS := make
export BASH_ENV := $(shell pwd)/reproduce/software/bash/bashrc.sh
-
# Python enviroment
# -----------------
#
diff --git a/reproduce/software/make/high-level.mk b/reproduce/software/make/high-level.mk
index 23e5c00..196eea7 100644
--- a/reproduce/software/make/high-level.mk
+++ b/reproduce/software/make/high-level.mk
@@ -506,12 +506,16 @@ $(ibidir)/openblas: $(tdir)/openblas-$(openblas-version).tar.gz
&& rm -rf OpenBLAS-$(openblas-version) \
&& echo "OpenBLAS $(openblas-version)" > $@
-$(ibidir)/openmpi: $(tdir)/openmpi-$(openmpi-version).tar.gz \
- | $(ibidir)/openssh
+$(ibidir)/openmpi: $(tdir)/openmpi-$(openmpi-version).tar.gz
$(call gbuild, $<, openmpi-$(openmpi-version), static, , \
-j$(numthreads) V=1) \
&& echo "Open MPI $(openmpi-version)" > $@
+# IMPORTANT NOTE: The build instructions for OpenSSH are defined here, but
+# it is best that it not be prerequisite of any program and thus not built
+# within the project because of all the security issues it may cause. Only
+# enable/build it in a project with caution, and if there is no other
+# solution (for example to disable SSH in a program that may ask for it.
$(ibidir)/openssh: $(tdir)/openssh-$(openssh-version).tar.gz
$(call gbuild, $<, openssh-$(openssh-version), static, \
--with-privsep-path=$(ibdir)/.ssh_privsep \