Bug 276031 - graphics/oidn: fetch target tries to execute from $DISTDIR
Summary: graphics/oidn: fetch target tries to execute from $DISTDIR
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Yuri Victorovich
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-31 02:25 UTC by Chad Jacob Milios
Modified: 2024-07-13 18:33 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (yuri)

Attachments
git diff graphics/oidn (631 bytes, patch)
2023-12-31 02:25 UTC, Chad Jacob Milios 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chad Jacob Milios 2023-12-31 02:25:09 UTC 
Created attachment 247365 [details]
git diff graphics/oidn

I have /usr/ports/distfiles mounted noexec and while i realize that in and of itself is no security panacea i'd like to keep it that way as part of a broader defense in depth policy

At any rate, none of the other 3000+ ports i build for my organization try to invoke any executable from ${DISTDIR} and I think we just might be able to agree that none should.

So, upon investigating this case, I have determined the executable in question to effectively be one big NOOP. The attached patch merely adds --no-checkout to the `git clone` operation (in its short form, -n) to bypass the error altogether while creating an identical tarball. Admittedly, this quick fix renders the construct being used by the pre-fetch target here to be less robust and flexible in the face of hypothetical future updates to the origin distribution repository.

I like the method and practice the pre-fetch construct in this port employs to create a reproducible distfile. If it is known by anyone reading to be a useful or common construct I would be happy to further investigate or participate in deciding/writing a more robust and generic solution.

===>  Cleaning for oidn-2.1.0
===>  License APACHE20 accepted by the user
==> Fetching the oidn/weights subproject with large LFS files
Downloading rt_alb.tza (1.8 MB)
Downloading rt_hdr.tza (1.8 MB)
Downloading rt_hdr_alb.tza (1.8 MB)
Downloading rt_hdr_alb_nrm.tza (1.8 MB)
Downloading rt_hdr_calb_cnrm.tza (1.8 MB)
Downloading rt_ldr.tza (1.8 MB)
Downloading rt_ldr_alb.tza (1.8 MB)
Downloading rt_ldr_alb_nrm.tza (1.8 MB)
Downloading rt_ldr_calb_cnrm.tza (1.8 MB)
Downloading rt_nrm.tza (1.8 MB)
Downloading rtlightmap_dir.tza (1.8 MB)
Downloading rtlightmap_hdr.tza (1.8 MB)
fatal: cannot exec '/usr/ports/distfiles/oidn-weights-4322c25e25a05584f65da1a4be5cef40a4b2e90b/.git/hooks/post-checkout': Permission denied
*** Error code 1

Stop.
make: stopped in /usr/ports/graphics/oidn
root@matrix:~ # mount|grep distfiles
neo/os/FreeBSD/ports/distfiles on /usr/ports/distfiles (zfs, local, noatime, noexec, nosuid, nfsv4acls)
root@matrix:~ #
Comment 1 Yuri Victorovich freebsd_committer freebsd_triage 2024-07-13 18:33:02 UTC 
Committed, thanks!
Comment 2 commit-hook freebsd_committer freebsd_triage 2024-07-13 18:33:56 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=23022411d3fd9b38ed39506842fe9c52408cb6b2

commit 23022411d3fd9b38ed39506842fe9c52408cb6b2
Author:     Chad Jacob Milios <milios@ccsys.com>
AuthorDate: 2024-07-13 18:29:16 +0000
Commit:     Yuri Victorovich <yuri@FreeBSD.org>
CommitDate: 2024-07-13 18:32:28 +0000

    graphics/oidn: Prevent execution of git hooks from $DISTDIR during fetch

    PR:             276031

 graphics/oidn/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)