Bug#991061: ns3 FTBFS with imagemagick with the #987504 change
Thanks for the additional info, and for the patch in the first place. I'll upload it asap. Thx, Mt. signature.asc Description: PGP signature
Bug#991061: ns3 FTBFS with imagemagick with the #987504 change
On Fri, Jul 16, 2021 at 09:02:44PM +0200, Martin Quinson wrote: > I'm sorry to ask, but I fear I need additional information, please. > It seems to me that this patch merely circumvent the change in > ImageMagik to allow the handling of eps file during the construction > of the package. Am I right, or is it only disabling the dangerous > parts of the converter while retrieving the parts we need? > > Sorry to ask, I'm very bad with ImageMagik. > > Even if it's re-enabling the conversion of eps files for the package > building, I guess that this is a good emergency solution to not delay > the release too much, provided that we trust the eps files that come > with ns-3. Thanks for the proposal. You have to trust the EPS files in your package like everything else anyway. AIUI the restriction in /etc/ImageMagick-6/policy.xml exists as a stop-gap to keep people from accidentally running ImageMagick on untrusted input (e.g. shoddily-written CGI scripts that don't sanitize input correctly). Seccomp filters would be a better approach, but since ImageMagick has to also work under Windows that's unlikely to ever happen. If ImageMagick were too dangerous to use even on trusted input then shipping it at all wouldn't make any sense. > But I would prefer not to live with such a complex and even somewhat > dangerous patch in my package, so I'm curious about other solutions > that would allow to convert eps to png without ImageMagik. Maybe using > gimp and Script-Fu? pdftoppm from poppler-utils is another option. Ubuntu's version of sctk has a patch for that: https://patches.ubuntu.com/s/sctk/sctk_2.4.10-20151007-1312Z+dfsg2-3ubuntu1.patch (But I don't believe for a single second that that parser is any safer than what comes in ImageMagick.) Regards
Bug#991061: ns3 FTBFS with imagemagick with the #987504 change
Hello, I'm sorry to ask, but I fear I need additional information, please. It seems to me that this patch merely circumvent the change in ImageMagik to allow the handling of eps file during the construction of the package. Am I right, or is it only disabling the dangerous parts of the converter while retrieving the parts we need? Sorry to ask, I'm very bad with ImageMagik. Even if it's re-enabling the conversion of eps files for the package building, I guess that this is a good emergency solution to not delay the release too much, provided that we trust the eps files that come with ns-3. Thanks for the proposal. But I would prefer not to live with such a complex and even somewhat dangerous patch in my package, so I'm curious about other solutions that would allow to convert eps to png without ImageMagik. Maybe using gimp and Script-Fu? Thanks for that patch anyway, Mt Le Fri, Jul 16, 2021 at 06:21:21PM +0200, Dennis Filder a écrit : > Control: tag -1 patch > > With this patch the build finished for me. > > Regards, > Dennis Filder > Description: Override overly strict ImageMagick security policy (#987504) > This patch derives a more permissive ImageMagick security policy from > the system default. > Author: Dennis Filder > Last-Update: 2021-07-16 > Bug-Debian: https://bugs.debian.org/991061 > --- a/ns-3.31/doc/models/Makefile > +++ b/ns-3.31/doc/models/Makefile > @@ -496,6 +496,8 @@ > > RESCALE = ../../utils/rescale-pdf.sh > > +POLFILE = "/etc/$(shell convert -version|sed -n '/^Version: /s@Version: > ImageMagick \([[:digit:]]\+\)\..*@ImageMagick-\1@p')/policy.xml" > + > %.eps : %.dia > @echo dia $(notdir $<) > @$(DIA) -t eps $< -e $@ >/dev/null > @@ -506,7 +508,9 @@ > > %.png : %.eps > @echo convert $(notdir $<) > - @$(CONVERT) $< $@ >/dev/null > + test -d ../../../debian/tmp/ImageMagick || mkdir -p > ../../../debian/tmp/ImageMagick > + test -f ../../../debian/tmp/ImageMagick/policy.xml || sed -e '/ domain="coder" rights="none" pattern="PS" .>/s@"none"@"read|write"@' > "$(POLFILE)" > ../../../debian/tmp/ImageMagick/policy.xml > + XDG_CONFIG_HOME="$(shell pwd)/../../../debian/tmp" $(CONVERT) $< $@ > >/dev/null > > %.pdf : %.eps > @echo epstopdf $(notdir $<) > @@ -556,6 +560,7 @@ > clean: > -rm -rf $(BUILDDIR)/* > -rm -rf $(SOURCETEMP) > + -rm -Rf ../../../debian/tmp/ImageMagick > > frag: pickle > @if test ! -d $(BUILDDIR)/frag; then mkdir $(BUILDDIR)/frag; fi -- The web was not envisioned as a form of television when it was invented. But, like it or not, it is rapidly resembling TV: linear, passive, programmed and inward-looking. -- Hossein Derakhshan https://medium.com/matter/the-web-we-have-to-save-2eb1fe15a426 signature.asc Description: PGP signature
Bug#991061: ns3 FTBFS with imagemagick with the #987504 change
Control: tag -1 patch With this patch the build finished for me. Regards, Dennis Filder Description: Override overly strict ImageMagick security policy (#987504) This patch derives a more permissive ImageMagick security policy from the system default. Author: Dennis Filder Last-Update: 2021-07-16 Bug-Debian: https://bugs.debian.org/991061 --- a/ns-3.31/doc/models/Makefile +++ b/ns-3.31/doc/models/Makefile @@ -496,6 +496,8 @@ RESCALE = ../../utils/rescale-pdf.sh +POLFILE = "/etc/$(shell convert -version|sed -n '/^Version: /s@Version: ImageMagick \([[:digit:]]\+\)\..*@ImageMagick-\1@p')/policy.xml" + %.eps : %.dia @echo dia $(notdir $<) @$(DIA) -t eps $< -e $@ >/dev/null @@ -506,7 +508,9 @@ %.png : %.eps @echo convert $(notdir $<) - @$(CONVERT) $< $@ >/dev/null + test -d ../../../debian/tmp/ImageMagick || mkdir -p ../../../debian/tmp/ImageMagick + test -f ../../../debian/tmp/ImageMagick/policy.xml || sed -e '//s@"none"@"read|write"@' "$(POLFILE)" > ../../../debian/tmp/ImageMagick/policy.xml + XDG_CONFIG_HOME="$(shell pwd)/../../../debian/tmp" $(CONVERT) $< $@ >/dev/null %.pdf : %.eps @echo epstopdf $(notdir $<) @@ -556,6 +560,7 @@ clean: -rm -rf $(BUILDDIR)/* -rm -rf $(SOURCETEMP) + -rm -Rf ../../../debian/tmp/ImageMagick frag: pickle @if test ! -d $(BUILDDIR)/frag; then mkdir $(BUILDDIR)/frag; fi
Bug#991061: ns3 FTBFS with imagemagick with the #987504 change
Hello, thanks for the report. I've read through the bugs both in debian and ubuntu, and I found the location of the issue in the package (ns3 is quite a large package). ns-3.31/doc/models/Makefile reads (many lines omitted): ``` CONVERT = convert # specify figures from which .png and .pdf figures need to be # generated (all dia and eps figures) IMAGES_EPS = \ $(FIGURES)/lena-dual-stripe.eps \ %.png : %.eps @echo convert $(notdir $<) @$(CONVERT) $< $@ >/dev/null ``` Now, the question is about what is the best move from here. I cannot do as in the bug I've seen by Ubuntu where the eps doc was disabled, as we use(d) convert to move the other way around, eps -> png. Is there another way to convert eps to png that I could use (according to google, ImageMagik is THE way to go here), or shall I ship a broken documentation? Any advice would be welcome here. Thanks, Mt. - Le 13 Juil 21, à 15:59, Adrian Bunk b...@debian.org a écrit : > Source: ns3 > Version: 3.29+dfsg-3 > Severity: serious > Tags: ftbfs > > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/ns3.html > > ... > convert lena-dual-stripe.eps > convert-im6.q16: attempt to perform an operation not allowed by the security > policy `PS' @ error/constitute.c/IsCoderAuthorized/408. > convert-im6.q16: no images defined `source-temp/figures/lena-dual-stripe.png' > @ > error/convert.c/ConvertImageCommand/3258. > make[2]: *** [Makefile:475: source-temp/figures/lena-dual-stripe.png] Error 1 > > > See #987504 for background.
Bug#991061: ns3 FTBFS with imagemagick with the #987504 change
Source: ns3 Version: 3.29+dfsg-3 Severity: serious Tags: ftbfs https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/ns3.html ... convert lena-dual-stripe.eps convert-im6.q16: attempt to perform an operation not allowed by the security policy `PS' @ error/constitute.c/IsCoderAuthorized/408. convert-im6.q16: no images defined `source-temp/figures/lena-dual-stripe.png' @ error/convert.c/ConvertImageCommand/3258. make[2]: *** [Makefile:475: source-temp/figures/lena-dual-stripe.png] Error 1 See #987504 for background.
