Bug 174884
Summary: | Useless debuginfo package, buildroot traces in installed files | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ville Skyttä <scop> |
Component: | R-mAr | Assignee: | José Matos <jamatos> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | extras-qa |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.1-4 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-04-05 09:55:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 162161 |
Description
Ville Skyttä
2005-12-03 12:35:34 UTC
(In reply to comment #0) > R-mAr produces an empty, useless debuginfo package; if that's expected, adding a > %define debug_package %{nil} would get rid of it. I am surprised as well. :-) I did not expect this to happen. :-) > Also, some of the installed files contain buildroot traces, which generally may > cause security problems. I don't know a thing about R, so I don't know if > that's the case. You can reproduce this by installing the fedora-rpmdevtools > package and making sure your ~/.rpmmacros has /usr/lib/rpm/check-buildroot in > %__arch_install_post (see also fedora-buildrpmtree). > > + /usr/lib/rpm/check-buildroot > Binary file > /var/tmp/R-mAr-1.1-3-buildroot-scop/usr/lib/R/library/mAr/Meta/hsearch.rds matches > Found '/var/tmp/R-mAr-1.1-3-buildroot-scop' in installed files; aborting > error: Bad exit status from /var/tmp/rpm-tmp.73072 (%install) Thanks for the tip. I will examine it further to determine if this is "feature" of this R-package or if it happens for other R packages, since I intend to submit more like this for review in Extras. (In reply to comment #0) > R-mAr produces an empty, useless debuginfo package; if that's expected, adding a > %define debug_package %{nil} would get rid of it. Done in 1.1-4 already built. > Also, some of the installed files contain buildroot traces, which generally may > cause security problems. I don't know a thing about R, so I don't know if > that's the case. You can reproduce this by installing the fedora-rpmdevtools > package and making sure your ~/.rpmmacros has /usr/lib/rpm/check-buildroot in > %__arch_install_post (see also fedora-buildrpmtree). > > + /usr/lib/rpm/check-buildroot > Binary file > /var/tmp/R-mAr-1.1-3-buildroot-scop/usr/lib/R/library/mAr/Meta/hsearch.rds matches > Found '/var/tmp/R-mAr-1.1-3-buildroot-scop' in installed files; aborting > error: Bad exit status from /var/tmp/rpm-tmp.73072 (%install) This happens for every R package and it is a consequence of the way as R installs its packages. This is an upstream issue and it is not related with FE packaging. (In reply to comment #2) > > Found '/var/tmp/R-mAr-1.1-3-buildroot-scop' in installed files; aborting > > error: Bad exit status from /var/tmp/rpm-tmp.73072 (%install) > > This happens for every R package and it is a consequence of the way as R > installs its packages. This is an upstream issue and it is not related with > FE packaging. Does that mean that it's harmless, or does R potentially do something funny with the paths, like load modules or something from those dirs? Loading them from /var/tmp would be a big security hole. As far as I understand there is not any problem: https://stat.ethz.ch/pipermail/r-help/2006-February/086069.html I have asked this question in R-devel as it seems that all rpms, and I would expect debian as well, suffer from this. If they are truely harmless, we should add an exception for the relevant files (*.rds ?) to /usr/lib/rpm/check-buildroot like there already exists for *.pyo, *.pyc, *.elc and .packlist. But that requires a definitive confirmation from someone who can say with confidence that it's the right thing to do. They are harmless, see http://thread.gmane.org/gmane.comp.lang.r.devel/7069 FWIW I intend to answer some of those messages. :-) It looks like that that problem will go away in the next release that should be release soon (a couple of months). So I propose to ignore this for the moment, since as soon as the new version is released all packages will be rebuild. Is this OK with you? Yep, works for me. |