From 2a1c2f23f21aab460292ede7f9091968a4ac922b Mon Sep 17 00:00:00 2001 From: Mohammad Akhlaghi Date: Thu, 22 Aug 2019 22:38:03 +0530 Subject: OpenMPI environment variable used to disable need for OpenSSH MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Until now, OpenMPI would complain about not having `ssh' or `rsh' as a remote shell feature. However, such features should not be necessary in a reproducible scenario and they also have major security issues. With this commit, we are now using OpenMPI's `OMPI_MCA_plm_rsh_agent' environment variable to disable any remote shell dependency for it (as suggested by Boud). Therefore, any dependency for OpenSSH has been removed. But I thought to keep the build instructions incase it may be useful under some un-foreseen scenario. However, to discourage people from building it, a notice was added ontop of the build instructions. This bug was found, tested and solved thanks to Roberto Baena Gallé and Boud Roukema. This fixes bug #56724. --- reproduce/analysis/make/initialize.mk | 6 +++++- reproduce/software/make/high-level.mk | 8 ++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/reproduce/analysis/make/initialize.mk b/reproduce/analysis/make/initialize.mk index 3b29b80..644efe4 100644 --- a/reproduce/analysis/make/initialize.mk +++ b/reproduce/analysis/make/initialize.mk @@ -120,13 +120,17 @@ export LD_LIBRARY_PATH := $(installdir)/lib # causes crashs (see bug #56682). So we'll just give it no value at all. export DYLD_LIBRARY_PATH := +# OpenMPI can depend on an existing `ssh' or `rsh' binary. However, because +# of security reasons, its best to not install them, disable any +# remote-shell accesss through this environment variable. +export OMPI_MCA_plm_rsh_agent=/bin/false + # Recipe startup script, see `reproduce/software/bash/bashrc.sh'. export PROJECT_STATUS := make export BASH_ENV := $(shell pwd)/reproduce/software/bash/bashrc.sh - # Python enviroment # ----------------- # diff --git a/reproduce/software/make/high-level.mk b/reproduce/software/make/high-level.mk index 23e5c00..196eea7 100644 --- a/reproduce/software/make/high-level.mk +++ b/reproduce/software/make/high-level.mk @@ -506,12 +506,16 @@ $(ibidir)/openblas: $(tdir)/openblas-$(openblas-version).tar.gz && rm -rf OpenBLAS-$(openblas-version) \ && echo "OpenBLAS $(openblas-version)" > $@ -$(ibidir)/openmpi: $(tdir)/openmpi-$(openmpi-version).tar.gz \ - | $(ibidir)/openssh +$(ibidir)/openmpi: $(tdir)/openmpi-$(openmpi-version).tar.gz $(call gbuild, $<, openmpi-$(openmpi-version), static, , \ -j$(numthreads) V=1) \ && echo "Open MPI $(openmpi-version)" > $@ +# IMPORTANT NOTE: The build instructions for OpenSSH are defined here, but +# it is best that it not be prerequisite of any program and thus not built +# within the project because of all the security issues it may cause. Only +# enable/build it in a project with caution, and if there is no other +# solution (for example to disable SSH in a program that may ask for it. $(ibidir)/openssh: $(tdir)/openssh-$(openssh-version).tar.gz $(call gbuild, $<, openssh-$(openssh-version), static, \ --with-privsep-path=$(ibdir)/.ssh_privsep \ -- cgit v1.2.1