From 2a1c2f23f21aab460292ede7f9091968a4ac922b Mon Sep 17 00:00:00 2001
From: Mohammad Akhlaghi <mohammad@akhlaghi.org>
Date: Thu, 22 Aug 2019 22:38:03 +0530
Subject: OpenMPI environment variable used to disable need for OpenSSH
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Until now, OpenMPI would complain about not having `ssh' or `rsh' as a
remote shell feature. However, such features should not be necessary in a
reproducible scenario and they also have major security issues.

With this commit, we are now using OpenMPI's `OMPI_MCA_plm_rsh_agent'
environment variable to disable any remote shell dependency for it (as
suggested by Boud). Therefore, any dependency for OpenSSH has been
removed. But I thought to keep the build instructions incase it may be
useful under some un-foreseen scenario. However, to discourage people from
building it, a notice was added ontop of the build instructions.

This bug was found, tested and solved thanks to Roberto Baena Gallé and
Boud Roukema.

This fixes bug #56724.
---
 reproduce/software/make/high-level.mk | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'reproduce/software/make/high-level.mk')

diff --git a/reproduce/software/make/high-level.mk b/reproduce/software/make/high-level.mk
index 23e5c00..196eea7 100644
--- a/reproduce/software/make/high-level.mk
+++ b/reproduce/software/make/high-level.mk
@@ -506,12 +506,16 @@ $(ibidir)/openblas: $(tdir)/openblas-$(openblas-version).tar.gz
 	&& rm -rf OpenBLAS-$(openblas-version) \
 	&& echo "OpenBLAS $(openblas-version)" > $@
 
-$(ibidir)/openmpi: $(tdir)/openmpi-$(openmpi-version).tar.gz \
-                   | $(ibidir)/openssh
+$(ibidir)/openmpi: $(tdir)/openmpi-$(openmpi-version).tar.gz
 	$(call gbuild, $<, openmpi-$(openmpi-version), static, , \
 	               -j$(numthreads) V=1) \
 	&& echo "Open MPI $(openmpi-version)" > $@
 
+# IMPORTANT NOTE: The build instructions for OpenSSH are defined here, but
+# it is best that it not be prerequisite of any program and thus not built
+# within the project because of all the security issues it may cause. Only
+# enable/build it in a project with caution, and if there is no other
+# solution (for example to disable SSH in a program that may ask for it.
 $(ibidir)/openssh: $(tdir)/openssh-$(openssh-version).tar.gz
 	$(call gbuild, $<, openssh-$(openssh-version), static, \
 	               --with-privsep-path=$(ibdir)/.ssh_privsep \
-- 
cgit v1.2.1