Re: Question about PKG_DEVELOPER and math/py-scipy

To: pkgsrc-users%netbsd.org@localhost
Subject: Re: Question about PKG_DEVELOPER and math/py-scipy
From: Kinoshita Daisuke <kinoshita%astro.ncu.edu.tw@localhost>
Date: Fri, 8 Jan 2021 22:36:58 +0800

Hi Greg and Makoto,

Thank you for the information.

Permissions of archived files are all "-rwxrwxrwx".

---------------------------------------------------------------------------
# tar tzvf /usr/pkgsrc/distfiles/scipy-1.6.0.tar.gz | head
drwxrwxrwx  0 treddy treddy      0 Dec 31 07:11 scipy-1.6.0/
-rwxrwxrwx  0 treddy treddy     40 Dec 31 07:01 scipy-1.6.0/.coveragerc
-rwxrwxrwx  0 treddy treddy  14420 Feb 14  2020 scipy-1.6.0/HACKING.rst.txt
-rwxrwxrwx  0 treddy treddy   7069 Dec  4 09:52 scipy-1.6.0/INSTALL.rst.txt
-rwxrwxrwx  0 treddy treddy  12650 Dec 31 07:11 scipy-1.6.0/LICENSE.txt
-rwxrwxrwx  0 treddy treddy    945 Feb 14  2020 scipy-1.6.0/MANIFEST.in
-rwxrwxrwx  0 treddy treddy   2130 Dec 31 07:11 scipy-1.6.0/PKG-INFO
-rwxrwxrwx  0 treddy treddy   2682 May 22  2020 scipy-1.6.0/README.rst
drwxrwxrwx  0 treddy treddy      0 Dec 31 07:11 scipy-1.6.0/benchmarks/
-rwxrwxrwx  0 treddy treddy   3235 Nov  5 13:02
scipy-1.6.0/benchmarks/README.rst
---------------------------------------------------------------------------

It seems that adding following to Makefile fixes the problem.

---------------------------------------------------------------------------
# for changing permission of extracted files from -rwxrwxrwx to -rwxr-xr-x
EXTRACT_OPTS_TAR+=      --no-same-permissions
---------------------------------------------------------------------------

thank you again,

Daisuke

On Fri, 8 Jan 2021 at 21:52, Greg Troxel <gdt%lexort.com@localhost> wrote:
>
>
> Kinoshita Daisuke <kinoshita%astro.ncu.edu.tw@localhost> writes:
>
> > ---------------------------------------------------------------------------
> > warning: /data0/netbsd/pkgsrc/current/pkgsrc/math/py-scipy/work/.destdir/usr/pkg/lib/python3.9/site-packages/scipy/stats/tests/test_stats.py:
> > group-writable file.
>
> I find often that this is related to strangeness on using various
> unpacking programs on the distribution tarball, and perhaps
> disagreements about the format of metadata.   I would suggest looking at
> the distfile with various programs, and see what EXTRACT_USING ends up
> being.  Sometimes the distfile is in a format supported only by some of
> tar/pax/gtar/bsdtar/etc.
>
> If the distfile really has files with group/other write permissions,
> then it might be necesssary to fix those after unpacking.  But probably
> if so you should report a bug upstream, as that creates a window when an
> attacker could change one of the files.
>
>
>
>

Follow-Ups:
- Re: Question about PKG_DEVELOPER and math/py-scipy
  - From: Jonathan Perkin
- Re: Question about PKG_DEVELOPER and math/py-scipy
  - From: Greg Troxel

References:
- Question about PKG_DEVELOPER and math/py-scipy
  - From: Kinoshita Daisuke
- Re: Question about PKG_DEVELOPER and math/py-scipy
  - From: Greg Troxel

Prev by Date: Re: Question about PKG_DEVELOPER and math/py-scipy
Next by Date: Re: Question about PKG_DEVELOPER and math/py-scipy
Previous by Thread: Re: Question about PKG_DEVELOPER and math/py-scipy
Next by Thread: Re: Question about PKG_DEVELOPER and math/py-scipy
Indexes:

Home | Main Index | Thread Index | Old Index