From patchwork Fri Nov 11 20:15:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ontje.Luensdorf@dlr.de X-Patchwork-Id: 44462 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 57B7427BBED; Fri, 11 Nov 2022 20:16:23 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 37E6F27BBEA for ; Fri, 11 Nov 2022 20:16:22 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1otaRc-0004tp-EH; Fri, 11 Nov 2022 15:16:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1otaRZ-0004tf-SO for guix-patches@gnu.org; Fri, 11 Nov 2022 15:16:05 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1otaRW-0004cq-BY for guix-patches@gnu.org; Fri, 11 Nov 2022 15:16:05 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1otaRV-0000nl-Uh for guix-patches@gnu.org; Fri, 11 Nov 2022 15:16:01 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#59202] [PATCH] python-check-manifest: Relax git security settings in tests. Resent-From: Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 11 Nov 2022 20:16:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 59202 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 59202@debbugs.gnu.org X-Debbugs-Original-To: Received: via spool by submit@debbugs.gnu.org id=B.16681977163020 (code B ref -1); Fri, 11 Nov 2022 20:16:01 +0000 Received: (at submit) by debbugs.gnu.org; 11 Nov 2022 20:15:16 +0000 Received: from localhost ([127.0.0.1]:46804 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1otaQl-0000md-NJ for submit@debbugs.gnu.org; Fri, 11 Nov 2022 15:15:16 -0500 Received: from lists.gnu.org ([209.51.188.17]:52816) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1otaQj-0000mV-LU for submit@debbugs.gnu.org; Fri, 11 Nov 2022 15:15:14 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1otaQj-0004iu-B3 for guix-patches@gnu.org; Fri, 11 Nov 2022 15:15:13 -0500 Received: from mailin.dlr.de ([194.94.201.12]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1otaQd-0004T8-Pl for guix-patches@gnu.org; Fri, 11 Nov 2022 15:15:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dlr.de; i=@dlr.de; q=dns/txt; s=052022; t=1668197707; x=1699733707; h=from:to:subject:date:message-id:mime-version; bh=dET83KSFY/LKgj3xPyuaEyB9w8/AXr83Tdb0lUUGXNU=; b=wF84xXuyX/YtghrrQlA5OQLGxz6Pgi0myGsV/fngeomgGtkxENxyrVSA ucKHisK2uFANU1tbyr5rsqHxV/EkSDYEm7elbfLUOrpVPM4QDp/817oAv ecLkyJ07cmh1WiosnRvGDuAx02gPXvuUYIg7MyrUBB+p1tKuaVg+9FRlR SVmhTZhBu51CnOxO0iZjfotuJ8o67KmDuNM2cOGmj8tw2Xhmkz6JQdbyA m0oV9D+Io4pb6VZMYX2hbCcVFyi3e8oejPM/tLeCWEMHyJzYTmvW0Ccvx /Lf9mNS2yNTbjqLSaBVq9zEszYe9CZodfDqOrGBFCSdbMPA7Wv3hw7zYj A==; X-IPAS-Result: A2EmAwCMrG5j/xiKuApagQmBT4MtAoFYF4gHjUudM4F+CAcBAQEBAQEBAQEIATkLBAEBBAOEfoR/JjQJDgECBAEBAQEDAgMBAQEBAQEDAQEGAQEBAQEBBgQBAQKBGIUvOQ2CNSKCBAEBAQEBAQEBAQEBAQEBHAINUncBgREBGQMBAgonDQEiHQoEEw6CcIMhE6pEeIE0gQGDFoFanD0QgUCMJYRrglCED26CYgKBdwkthXEEgQeNbIJ/E4YRA0QdNgoDC20NShsxJw4JHxwlDQUGEgMgbAVBDygvZyscGweBDCooFQMEBAMCBhMDIgINKTEUBCkTDSsnbwkCAyJqAwMEKCwDCSEfByckPAdWPwMCECA4BgMJAwIiVYEiJgUDCxUlCAVKBAg5BQZTEgIKEQMSDyxGDkg+ORYGJ3QODhQDXoFpBGI5mkCCHQFZNCwge4ERoHyBeQ+ffweCH4dshS2VOYVJkTOSGQGXNI1DmgwCBAIEBQIWgWKCFnFPgmcJSRcCDx+Rc4JWiAh1OwIHCwEBAwmGR4MbgRIBAQ IronPort-PHdr: A9a23:SMWGRRyHRZ2Ca9jXCzLAylBlVkEcU1XcAAcZ59Idhq5Udez7ptK+Z hCZvqsm1QSVFcWDsrQY0bGQ6/ihEUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7F skRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCSybL9oI hi7rArdutQYjIZtN609zgfFrmZSd+lZ229lK0ifkwrg6su14ZVu7zlet/U9+sBaTK70Zb44T btWDDQnN2A6+sjmvgTdQAWM+3URTHwYngJHDAbZ4h76WIzxsjbhuepmxCaaJ8z2QqsqVjmk8 qxmVQXniCYDNz4+7WHXlsl9h79VrR69uxByxZPfbYeIP/R8Y6zdZ8sXS2pfUMhMSyxPDICyb 4oTAOUOJutYqpXxqkEUoBeiGQWgGeXiwSJIiH/s2q061vwsHAbf0gwmA9IOsmrboM/zOqcPT ++1yrLIwijEb/NM1zfw85XHchQ7of2WQL1/b9PcxE8yHAzKklues5bqPy+J1usTqWib6fJtW OKuhmMltQ18oiWiy9sxh4TKhY8bxV7J+ypkzIsxJ9C1SVB2b9C6HJVetiyWKYh7Tt0+T210t ig316MKtYK/cSUM1Z8pxAbfZuSaf4SU+B7vSeWcLDhiiH54dr+yhAy+/Vavx+HkS8W50khGo jBbntXRrHwByh7e58mdRvdg+EqqxCyB2BrJ6u5eJEA5ja/bK5k8zbEujpcTqkHDHjPumEXxk a+Wal0o+ui25OTjZbXrvpGSOYl6hA/xMqogmsuxD+c/PAYUQWSW9uuy27z98EHjQbVKiOE2k rPDv5zAOMsborS5DxVI3Yk98xq/DjGm38oEnXQfMV5JZAiLg5XqNlzBOvz0EPmyjle2nDt1y P3KJrjhDY/MLnjHnrfhZ7F960tExQQqy9Bf+5BUBa8bLPz1R0/+qtrYDgQkPAyz2ebnBs5w2 Z4aWWKVGKOWLb3dvUeO5u00O+aMfpMauC7hK/g54P7jlWI1lUcHfaa1xZsXdGy4HvN+LkWWf Hrsg9gAHX4SvgUkUOzllF2CXiBIZ3upUKI84Cw7BJihDYfZSYD+yICGiXO0A5xGI3hPFluMH GzAeIOZHfAWZ3TBDNVml2lQcr69SYJn8QyjshT2zKBpBubQ4GsUuMSwh5BO++TPmERqpnRPB MOH3jTVJ1w= IronPort-Data: A9a23:DPF4lqN/nA02+UrvrR0BlsFynXyQoLVcMsEvi/8bNHD9gXJmyH0aj jNbCjG2js36YmL1esQhNsirtQNC4cmL04U7HVE3sHRkSXNEpNHZQO6UKk7geiyTMojYQUl69 cQCe5zbIdwoT3nT4A+kLrPhxZUX/f/YG7P3AbadYXsqHAU7E354h0I7wrZm2NU0j9LnXFvVs I+rr8bSZQT0h2V/Pj1Nsvva80s056384m1Ct1U0PasjUDMy75UwJMt3yfaZdiamGOG4Z9KSR /rf1KrruSTW/gstF9njmbH+NUgFT7LXPA7JgXpbUKvnhxFEpyI/ybpTCBZnUqshttnzt4s3l L1wiKGNpScV0ozklu5FCEgGTix1Zv1I9bafKCbk7JWYnxLPLXfmnfg/VhgfMNxD8I6bI43vG d/0itwpRkre7w5j6OvjEoGAvux6cI+xetp3VkhIlVnxFewhTY3IX5LE7NpZ2CZYrs1VFJ4yX eJAAdZUREmGMkMn1ms/Uspkxr7x3yCnKVW0lXrMzUYJyzmLpOBO+OW1WDblUoTibdlYmE+eu lXH8wzRav3NHIXCodYt2ivEat7nxUsXaqpLfFGL3qICbGmo+4AmIEZ+uW1XABWOohXWt9p3c yT488e1xEQ43BTDotLVB3VUrJMY1/K1thU5/+ASsWmwJqToDwmxCUYUXjNhdt4fs95nXxA41 EGPs9+0Gmk62FGVYSr1Gra8gReeFAY7CE4nXXVYYDsupdjlvJs6yB7LVJBvHcZZjPWsQXepk 2zM9XNuwe9P5SII//zTEVTvpDSwpJWPahM44B7bWXirxg99fsipauRE7HCEvKkac9/BEjFtu lA8ifev1vEKE6ihr3OibuhXIaOs+7GsZWi0bVlHWsNJGy6W03G+fJAV+DhiL0dkKe4LfyKvZ 1Xc0T69/7dfOHenY6FyYoepUZgn3aOmFNL5TPmSYt5UJJR8HOOawBxTiYer9ziFuCARfWsXY P93re7E4a4mNJla IronPort-HdrOrdr: A9a23:dQICcKF1xZQUyGCJpLqE08eALOsnbusQ8zAXPhhKOH5om7+j5q WTdZUgpGbJYVkqOE3I9ersBEDiewKlyXcW2/hzAV7KZmCP0wGVxepZgrcKtgeAJ8SIzIBgPM lbH5SWQ+eAaWSSxfyKhzVQPexQpuW6zA== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos; i="5.96,157,1665439200"; d="scan'208,223"; a="79727104" From: Thread-Topic: [PATCH] python-check-manifest: Relax git security settings in tests. Thread-Index: AQHY9gpIU9mxwR6SrEKVRLlEzDia2Q== Date: Fri, 11 Nov 2022 20:15:02 +0000 Message-ID: <87cz9txn7e.fsf@dlr.de> Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: MIME-Version: 1.0 Received-SPF: pass client-ip=194.94.201.12; envelope-from=Ontje.Luensdorf@dlr.de; helo=mailin.dlr.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Hi Guix, the git security fixes for CVE-2022-39253 break submodule tests in python-check-manifest. This patch works around the issue by disabling the security check in the check phase. Best regards, Ontje From 3de0d326956fa551a3dad6d65f6fabd9ff4282b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ontje=20L=C3=BCnsdorf?= Date: Fri, 11 Nov 2022 21:09:21 +0100 Subject: [PATCH] gnu: python-check-manifest: Relax git security settings in tests. * gnu/packages/python-xyz.scm (python-check-manifest)[arguments]: Allow git submodule commands via file protocol during testing. --- gnu/packages/python-xyz.scm | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm index e26656fa32..857e4fc207 100644 --- a/gnu/packages/python-xyz.scm +++ b/gnu/packages/python-xyz.scm @@ -25580,6 +25580,17 @@ (define-public python-check-manifest (build-system python-build-system) (native-inputs (list python-mock git)) + (arguments + `(#:phases + (modify-phases %standard-phases + ;; Tests use git submodule commands over the file transport, which + ;; has been disabled in git, see CVE-2022-39253. Enable these + ;; commands to allow checks to succeed. + (add-before 'check 'allow-git-submodule-add + (lambda _ + (setenv "HOME" "/tmp") + (invoke "git" "config" "--global" + "protocol.file.allow" "always")))))) (home-page "https://github.com/mgedmin/check-manifest") (synopsis "Check MANIFEST.in in a Python source package for completeness") (description "Python package can include a MANIFEST.in file to help with -- 2.38.1