diff options
| author | Mohammad Akhlaghi <mohammad@akhlaghi.org> | 2019-08-22 22:38:03 +0530 |
|---|---|---|
| committer | Mohammad Akhlaghi <mohammad@akhlaghi.org> | 2019-08-22 22:38:03 +0530 |
| commit | 2a1c2f23f21aab460292ede7f9091968a4ac922b (patch) | |
| tree | aedd7f6baf05abad6f833cb6e64017fc0680b2fa | |
| parent | 0980667fe8d08596b107cb19ab57563c66cea221 (diff) | |
OpenMPI environment variable used to disable need for OpenSSH
Until now, OpenMPI would complain about not having `ssh' or `rsh' as a
remote shell feature. However, such features should not be necessary in a
reproducible scenario and they also have major security issues.
With this commit, we are now using OpenMPI's `OMPI_MCA_plm_rsh_agent'
environment variable to disable any remote shell dependency for it (as
suggested by Boud). Therefore, any dependency for OpenSSH has been
removed. But I thought to keep the build instructions incase it may be
useful under some un-foreseen scenario. However, to discourage people from
building it, a notice was added ontop of the build instructions.
This bug was found, tested and solved thanks to Roberto Baena Gallé and
Boud Roukema.
This fixes bug #56724.
| -rw-r--r-- | reproduce/analysis/make/initialize.mk | 6 | ||||
| -rw-r--r-- | reproduce/software/make/high-level.mk | 8 |
2 files changed, 11 insertions, 3 deletions
diff --git a/reproduce/analysis/make/initialize.mk b/reproduce/analysis/make/initialize.mk index 3b29b80..644efe4 100644 --- a/reproduce/analysis/make/initialize.mk +++ b/reproduce/analysis/make/initialize.mk @@ -120,13 +120,17 @@ export LD_LIBRARY_PATH := $(installdir)/lib # causes crashs (see bug #56682). So we'll just give it no value at all. export DYLD_LIBRARY_PATH := +# OpenMPI can depend on an existing `ssh' or `rsh' binary. However, because +# of security reasons, its best to not install them, disable any +# remote-shell accesss through this environment variable. +export OMPI_MCA_plm_rsh_agent=/bin/false + # Recipe startup script, see `reproduce/software/bash/bashrc.sh'. export PROJECT_STATUS := make export BASH_ENV := $(shell pwd)/reproduce/software/bash/bashrc.sh - # Python enviroment # ----------------- # diff --git a/reproduce/software/make/high-level.mk b/reproduce/software/make/high-level.mk index 23e5c00..196eea7 100644 --- a/reproduce/software/make/high-level.mk +++ b/reproduce/software/make/high-level.mk @@ -506,12 +506,16 @@ $(ibidir)/openblas: $(tdir)/openblas-$(openblas-version).tar.gz && rm -rf OpenBLAS-$(openblas-version) \ && echo "OpenBLAS $(openblas-version)" > $@ -$(ibidir)/openmpi: $(tdir)/openmpi-$(openmpi-version).tar.gz \ - | $(ibidir)/openssh +$(ibidir)/openmpi: $(tdir)/openmpi-$(openmpi-version).tar.gz $(call gbuild, $<, openmpi-$(openmpi-version), static, , \ -j$(numthreads) V=1) \ && echo "Open MPI $(openmpi-version)" > $@ +# IMPORTANT NOTE: The build instructions for OpenSSH are defined here, but +# it is best that it not be prerequisite of any program and thus not built +# within the project because of all the security issues it may cause. Only +# enable/build it in a project with caution, and if there is no other +# solution (for example to disable SSH in a program that may ask for it. $(ibidir)/openssh: $(tdir)/openssh-$(openssh-version).tar.gz $(call gbuild, $<, openssh-$(openssh-version), static, \ --with-privsep-path=$(ibdir)/.ssh_privsep \ |