Bug 1506355

Summary: macros.python*: Use -Es/-I to invoke python macro scriptlets
Product: [Fedora] Fedora Reporter: Ville Skyttä <ville.skytta>
Component: python-rpm-macrosAssignee: Orion Poplawski <orion>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: cstratak, j, mcyprian, orion, python-sig, ville.skytta
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: python-rpm-macros-3-23.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-15 17:47:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
macros.python*: Use -Es/-I to invoke python macro scriptlets none

Description Ville Skyttä 2017-10-25 19:01:09 UTC 
To avoid environment and user dir influence. 'git am'able fix
attached, let me know if you'd like me to push and build this for
devel.
Comment 1 Ville Skyttä 2017-10-25 19:01:18 UTC 
Created attachment 1343391 [details]
macros.python*: Use -Es/-I to invoke python macro scriptlets

To avoid environment and user dir influence.
Comment 2 Jason Tibbitts 2017-10-25 20:44:14 UTC 
Seems quite reasonable to me, but my schedule is packed and I won't have time to apply it today.  Certainly Orion is welcome to do so if he has time.
Comment 3 Orion Poplawski 2017-10-25 21:01:36 UTC 
Seems like a good idea to me.  Please go ahead as I have no time.
Comment 4 Ville Skyttä 2017-10-26 10:51:40 UTC 
Pushed but unable to build right now, I'll leave that to someone else to take care of.
Comment 5 Charalampos Stratakis 2017-10-26 12:50:10 UTC 
Is there any actual behavior change compared to how the macros were utilized so far? Any use case where this might break something (or how it was broken before)?
Comment 6 Jason Tibbitts 2017-10-26 17:18:59 UTC 
There shouldn't be unless you somehow expected the environment to leak into the python calls.  Since they're only extracting either versions or paths built into python, I can't think of any case where that would be useful.
Comment 7 Ville Skyttä 2017-10-29 08:50:07 UTC 
Right. Regarding how it was broken before, here's one example:

$ mkdir /tmp/distutils
# touch /tmp/distutils/__init__.py ; echo $'def get_python_lib(*_):\n print("arbitrary code!")\n return ""' > /tmp/distutils/sysconfig.py
$ PYTHONPATH=/tmp rpm -E %python_sitelib
arbitrary code!
Comment 8 Ville Skyttä 2017-10-29 08:56:32 UTC 
Oops, bad example, should have been "rpm -E %python2_sitelib" to reproduce the issue with this package. %python_sitelib comes from rpm itself (and has already been fixed in git master there).
Comment 9 Fedora Update System 2017-11-08 14:48:48 UTC 
python-rpm-macros-3-23.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c877b9b704
Comment 10 Fedora Update System 2017-11-08 20:31:59 UTC 
python-rpm-macros-3-23.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c877b9b704
Comment 11 Fedora Update System 2017-11-15 17:47:51 UTC 
python-rpm-macros-3-23.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.