Bug 1506355 - macros.python*: Use -Es/-I to invoke python macro scriptlets
Summary: macros.python*: Use -Es/-I to invoke python macro scriptlets
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: python-rpm-macros
Version: rawhide
Hardware: All
OS: All
unspecified
unspecified
Target Milestone: ---
Assignee: Orion Poplawski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-25 19:01 UTC by Ville Skyttä
Modified: 2017-11-15 17:47 UTC (History)
6 users (show)

Fixed In Version: python-rpm-macros-3-23.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-15 17:47:51 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
macros.python*: Use -Es/-I to invoke python macro scriptlets (2.61 KB, patch)
2017-10-25 19:01 UTC, Ville Skyttä 		no flags Details | Diff
View All

Description Ville Skyttä 2017-10-25 19:01:09 UTC 
To avoid environment and user dir influence. 'git am'able fix
attached, let me know if you'd like me to push and build this for
devel.
Comment 1 Ville Skyttä 2017-10-25 19:01:18 UTC 
Created attachment 1343391 [details]
macros.python*: Use -Es/-I to invoke python macro scriptlets

To avoid environment and user dir influence.
Comment 2 Jason Tibbitts 2017-10-25 20:44:14 UTC 
Seems quite reasonable to me, but my schedule is packed and I won't have time to apply it today.  Certainly Orion is welcome to do so if he has time.
Comment 3 Orion Poplawski 2017-10-25 21:01:36 UTC 
Seems like a good idea to me.  Please go ahead as I have no time.
Comment 4 Ville Skyttä 2017-10-26 10:51:40 UTC 
Pushed but unable to build right now, I'll leave that to someone else to take care of.
Comment 5 Charalampos Stratakis 2017-10-26 12:50:10 UTC 
Is there any actual behavior change compared to how the macros were utilized so far? Any use case where this might break something (or how it was broken before)?
Comment 6 Jason Tibbitts 2017-10-26 17:18:59 UTC 
There shouldn't be unless you somehow expected the environment to leak into the python calls.  Since they're only extracting either versions or paths built into python, I can't think of any case where that would be useful.
Comment 7 Ville Skyttä 2017-10-29 08:50:07 UTC 
Right. Regarding how it was broken before, here's one example:

$ mkdir /tmp/distutils
# touch /tmp/distutils/__init__.py ; echo $'def get_python_lib(*_):\n print("arbitrary code!")\n return ""' > /tmp/distutils/sysconfig.py
$ PYTHONPATH=/tmp rpm -E %python_sitelib
arbitrary code!
Comment 8 Ville Skyttä 2017-10-29 08:56:32 UTC 
Oops, bad example, should have been "rpm -E %python2_sitelib" to reproduce the issue with this package. %python_sitelib comes from rpm itself (and has already been fixed in git master there).
Comment 9 Fedora Update System 2017-11-08 14:48:48 UTC 
python-rpm-macros-3-23.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c877b9b704
Comment 10 Fedora Update System 2017-11-08 20:31:59 UTC 
python-rpm-macros-3-23.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c877b9b704
Comment 11 Fedora Update System 2017-11-15 17:47:51 UTC 
python-rpm-macros-3-23.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.