Build failed in Jenkins: Build branch "master" » ubuntu-xenial-qt4-autotools #1438

[ci-lyx]

https://ci.inria.fr/lyx/job/build-master-head/job/ubuntu-xenial-qt4-autotools/1438/Changes:

[spitz] LuaTeX (luabidi) does not swap table columns

--
Started by an SCM change
Building remotely on lyx-linux6 (linux) in workspace 

[WS-CLEANUP] Deleting project workspace...
[WS-CLEANUP] Done
Cloning the remote Git repository
Using shallow clone
Avoid fetching tags
Honoring refspec on initial clone
Cloning repository git://git.lyx.org/lyx.git
 > git init 
 > 
 >  # timeout=10
Fetching upstream changes from git://git.lyx.org/lyx.git
 > git --version # timeout=10
 > git fetch --no-tags --progress git://git.lyx.org/lyx.git 
 > +refs/heads/*:refs/remotes/origin/* --depth=1
 > git config remote.origin.url git://git.lyx.org/lyx.git # timeout=10
 > git config --add remote.origin.fetch +refs/heads/*:refs/remotes/origin/* # 
 > timeout=10
 > git config remote.origin.url git://git.lyx.org/lyx.git # timeout=10
Fetching upstream changes from git://git.lyx.org/lyx.git
 > git fetch --no-tags --progress git://git.lyx.org/lyx.git 
 > +refs/heads/*:refs/remotes/origin/* --depth=1
 > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
 > git rev-parse refs/remotes/origin/refs/heads/master^{commit} # timeout=10
Checking out Revision 6f8db58778fc9851b85878e2db305bb0f897f7da 
(refs/remotes/origin/master)
 > git config core.sparsecheckout # timeout=10
 > git checkout -f 6f8db58778fc9851b85878e2db305bb0f897f7da
 > git rev-list a95339c6e1d9f15390a2734b7cc94b57282e740b # timeout=10
[ubuntu-xenial-qt4-autotools] $ /bin/sh -xe /tmp/hudson2463736198965552249.sh
+ IMAGE=lyxproject/build-lyx-using-ubuntu-xenial-qt4-autotools
+ C_BUILD=/build
+ C_WS=/build/workspace
+ C_SCRIPT=/build/build_lyx.sh
+ docker run --rm -v 
:/build/workspace
 lyxproject/build-lyx-using-ubuntu-xenial-qt4-autotools /build/build_lyx.sh 
/build/workspace
docker: Error response from daemon: failed to start shim: exec: 
"docker-containerd-shim": executable file not found in $PATH: unknown.
time="2019-07-11T01:53:05+02:00" level=error msg="error waiting for container: 
context canceled"
Build step 'Execute shell' marked build as failure

Build failed in Jenkins: Build branch "master" » ubuntu-xenial-qt4-autotools-extended #1658

[ci-lyx]

https://ci.inria.fr/lyx/job/build-master-head/job/ubuntu-xenial-qt4-autotools-extended/1658/--
Started by an SCM change
Building remotely on lyx-linux6 (linux) in workspace 

[WS-CLEANUP] Deleting project workspace...
Cloning the remote Git repository
Using shallow clone
Avoid fetching tags
Honoring refspec on initial clone
Cloning repository git://git.lyx.org/lyx.git
 > git init 
 > 
 >  # timeout=10
Fetching upstream changes from git://git.lyx.org/lyx.git
 > git --version # timeout=10
 > git fetch --no-tags --progress git://git.lyx.org/lyx.git 
 > +refs/heads/*:refs/remotes/origin/* --depth=1
 > git config remote.origin.url git://git.lyx.org/lyx.git # timeout=10
 > git config --add remote.origin.fetch +refs/heads/*:refs/remotes/origin/* # 
 > timeout=10
 > git config remote.origin.url git://git.lyx.org/lyx.git # timeout=10
Fetching upstream changes from git://git.lyx.org/lyx.git
 > git fetch --no-tags --progress git://git.lyx.org/lyx.git 
 > +refs/heads/*:refs/remotes/origin/* --depth=1
 > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
 > git rev-parse refs/remotes/origin/refs/heads/master^{commit} # timeout=10
Checking out Revision 6f8db58778fc9851b85878e2db305bb0f897f7da 
(refs/remotes/origin/master)
 > git config core.sparsecheckout # timeout=10
 > git checkout -f 6f8db58778fc9851b85878e2db305bb0f897f7da
 > git rev-list 0922aa0072c7fd4b1e899e3b96875b8e5e05575b # timeout=10
First time build. Skipping changelog.
[ubuntu-xenial-qt4-autotools-extended] $ /bin/sh -xe 
/tmp/hudson444210817075595.sh
+ IMAGE=lyxproject/build-lyx-using-ubuntu-xenial-qt4-autotools
+ C_BUILD=/build
+ C_WS=/build/workspace
+ C_SCRIPT=/build/build_lyx_extended.sh
+ docker run --rm -v 
:/build/workspace
 lyxproject/build-lyx-using-ubuntu-xenial-qt4-autotools 
/build/build_lyx_extended.sh /build/workspace
docker: Error response from daemon: failed to start shim: exec: 
"docker-containerd-shim": executable file not found in $PATH: unknown.
time="2019-07-11T01:51:59+02:00" level=error msg="error waiting for container: 
context canceled"
+ sudo -S chown ci:ci 

+ echo ci
[sudo] password for ci: + exit 1
Build step 'Execute shell' marked build as failure

Re: ImageMagick security settings in openSUSE

[Cor Blom]

Op 10-07-19 om 16:51 schreef Pavel Sanda:

I'm not sure for how big percentage of userbase I speak of but to butcher
postscript processing renders lyx quite unusable imho, so question is to
whether suse wants lyx in its repositories at all if this does not work...
So if it was on me would rather ask for removing lyx from your official
repos and let only advanced users to fetch from alternative sources and
tweak settings -- because delivering half non functional lyx just give
us bad reputation.
But again, that's due to my way of using lyx, don't take this as official
lyx team stand point:)


Personally I use LyX with openSUSE's hardened ImageMagick without any 
problems. I would not have noticed the issue with ImageMagick had it not 
been reported as a bug.


I am not really afraid for the reputation of LyX. I think users who are 
confronted by this will blame (open)SUSE (or understand it). In the 
meantime I try to spread the information in different, relevant places, 
so that it can hopefully be found.


Thanks for your input.

Cor

Re: ImageMagick security settings in openSUSE

[Pavel Sanda]

On Wed, Jul 10, 2019 at 08:58:58PM +0200, Cor Blom wrote:
> Op 10-07-19 om 16:51 schreef Pavel Sanda:
>> Can't you simply demand this 'alternative configuration' as dependency 
>> when lyx is installed?
>
> I can try this. The reason for this security policy has been explained to 
> me, so I have little hope. But who knows...

Let's see. I can understand that you don't want any risk on a production server,
but you don't want lyx there neither.

> I have updated the wiki with the relevant information:
>
> https://wiki.lyx.org/LyX/LyXOnOpenSUSE
>
> It need the confirmation of a link.

Confirmed.
For now, 
Pavel

Re: ImageMagick security settings in openSUSE

[Cor Blom]

Op 10-07-19 om 16:51 schreef Pavel Sanda:

Can't you simply demand this 'alternative configuration' as dependency when
lyx is installed?


I can try this. The reason for this security policy has been explained 
to me, so I have little hope. But who knows...


I have updated the wiki with the relevant information:

https://wiki.lyx.org/LyX/LyXOnOpenSUSE

It need the confirmation of a link.

Thanks,

Cor

Build failed in Jenkins: Build branch "master" » ubuntu-latest-qt5-cmake #1732

[ci-lyx]

https://ci.inria.fr/lyx/job/build-master-head/job/ubuntu-latest-qt5-cmake/1732/--
Started by an SCM change
Building remotely on lyx-linux6 (linux) in workspace 

[WS-CLEANUP] Deleting project workspace...
[WS-CLEANUP] Done
Cloning the remote Git repository
Using shallow clone
Avoid fetching tags
Honoring refspec on initial clone
Cloning repository git://git.lyx.org/lyx.git
 > git init 
 > 
 >  # timeout=10
Fetching upstream changes from git://git.lyx.org/lyx.git
 > git --version # timeout=10
 > git fetch --no-tags --progress git://git.lyx.org/lyx.git 
 > +refs/heads/*:refs/remotes/origin/* --depth=1
 > git config remote.origin.url git://git.lyx.org/lyx.git # timeout=10
 > git config --add remote.origin.fetch +refs/heads/*:refs/remotes/origin/* # 
 > timeout=10
 > git config remote.origin.url git://git.lyx.org/lyx.git # timeout=10
Fetching upstream changes from git://git.lyx.org/lyx.git
 > git fetch --no-tags --progress git://git.lyx.org/lyx.git 
 > +refs/heads/*:refs/remotes/origin/* --depth=1
 > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
 > git rev-parse refs/remotes/origin/refs/heads/master^{commit} # timeout=10
Checking out Revision a95339c6e1d9f15390a2734b7cc94b57282e740b 
(refs/remotes/origin/master)
 > git config core.sparsecheckout # timeout=10
 > git checkout -f a95339c6e1d9f15390a2734b7cc94b57282e740b
 > git rev-list 0922aa0072c7fd4b1e899e3b96875b8e5e05575b # timeout=10
First time build. Skipping changelog.
[ubuntu-latest-qt5-cmake] $ /bin/sh -xe /tmp/hudson2275608510764460345.sh
+ IMAGE=lyxproject/build-lyx-using-ubuntu-latest-qt5-cmake
+ SRC=/build/lyx
+ docker run --rm -v 
:/build/lyx
 lyxproject/build-lyx-using-ubuntu-latest-qt5-cmake /build/build_lyx.sh 
/build/lyx
docker: Error response from daemon: failed to start shim: exec: 
"docker-containerd-shim": executable file not found in $PATH: unknown.
time="2019-07-10T19:13:20+02:00" level=error msg="error waiting for container: 
context canceled"
Build step 'Execute shell' marked build as failure
Build does not meet criteria for workspace archiving - result is not at least 
SUCCESS.

Build failed in Jenkins: Build branch "master" » ubuntu-xenial-qt4-autotools #1437

[ci-lyx]

https://ci.inria.fr/lyx/job/build-master-head/job/ubuntu-xenial-qt4-autotools/1437/Changes:

[spitz] Fix right and left layout alignment (in workarea) with RTL

[spitz] LuaTeX (luabidi) does not correct directions

--
Started by an SCM change
Building remotely on lyx-linux6 (linux) in workspace 

[WS-CLEANUP] Deleting project workspace...
[WS-CLEANUP] Done
Cloning the remote Git repository
Using shallow clone
Avoid fetching tags
Honoring refspec on initial clone
Cloning repository git://git.lyx.org/lyx.git
 > git init 
 > 
 >  # timeout=10
Fetching upstream changes from git://git.lyx.org/lyx.git
 > git --version # timeout=10
 > git fetch --no-tags --progress git://git.lyx.org/lyx.git 
 > +refs/heads/*:refs/remotes/origin/* --depth=1
 > git config remote.origin.url git://git.lyx.org/lyx.git # timeout=10
 > git config --add remote.origin.fetch +refs/heads/*:refs/remotes/origin/* # 
 > timeout=10
 > git config remote.origin.url git://git.lyx.org/lyx.git # timeout=10
Fetching upstream changes from git://git.lyx.org/lyx.git
 > git fetch --no-tags --progress git://git.lyx.org/lyx.git 
 > +refs/heads/*:refs/remotes/origin/* --depth=1
 > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
 > git rev-parse refs/remotes/origin/refs/heads/master^{commit} # timeout=10
Checking out Revision a95339c6e1d9f15390a2734b7cc94b57282e740b 
(refs/remotes/origin/master)
 > git config core.sparsecheckout # timeout=10
 > git checkout -f a95339c6e1d9f15390a2734b7cc94b57282e740b
 > git rev-list 0922aa0072c7fd4b1e899e3b96875b8e5e05575b # timeout=10
[ubuntu-xenial-qt4-autotools] $ /bin/sh -xe /tmp/hudson3270215102120368982.sh
+ IMAGE=lyxproject/build-lyx-using-ubuntu-xenial-qt4-autotools
+ C_BUILD=/build
+ C_WS=/build/workspace
+ C_SCRIPT=/build/build_lyx.sh
+ docker run --rm -v 
:/build/workspace
 lyxproject/build-lyx-using-ubuntu-xenial-qt4-autotools /build/build_lyx.sh 
/build/workspace
docker: Error response from daemon: failed to start shim: exec: 
"docker-containerd-shim": executable file not found in $PATH: unknown.
Build step 'Execute shell' marked build as failure

Re: ImageMagick security settings in openSUSE

[Pavel Sanda]

On Wed, Jul 10, 2019 at 03:47:26PM +0200, Cor Blom wrote:
> The following message describes the situation for openSUSE Leap 15.0, but 
> it is also true for 15.1 and Tumbleweed:
>
> https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00010.html
>
> In short: the user can install an alternative configuration for IM that 
> enables postscript related stuff (and other things), following upstream IM 
> setting. The default SUSE setting are very strict.

Can't you simply demand this 'alternative configuration' as dependency when
lyx is installed?

I'm not sure for how big percentage of userbase I speak of but to butcher
postscript processing renders lyx quite unusable imho, so question is to
whether suse wants lyx in its repositories at all if this does not work...
So if it was on me would rather ask for removing lyx from your official
repos and let only advanced users to fetch from alternative sources and
tweak settings -- because delivering half non functional lyx just give
us bad reputation. 
But again, that's due to my way of using lyx, don't take this as official
lyx team stand point :)

> In general postscript does not work out of the box on openSUSE for security 
> reasons nowadays, but the user can enable this by installing additional 
> packages.
>
> I hope this give enough information. There is not much more that can be 
> done. Maybe this information can be added to the LyX wiki also?

You can add there whatever feels right, no one understands suse+lyx
situation better than you do.

Pavel

Re: ImageMagick security settings in openSUSE

[Cor Blom]

Op 10-07-19 om 15:30 schreef Pavel Sanda:

On Wed, Jul 03, 2019 at 03:43:06PM +0200, Cor Blom wrote:

Dear LyX devs,

Because of the following bug

https://bugzilla.opensuse.org/show_bug.cgi?id=1139928

I have become aware of the strict security settings in openSUSE which
limits capabilities of ImageMagick. There is an alternative setting that
the user can activate, but most users will not know this.


Is this security measure sideeffect of ghostscript problems from last september?

As far as I understood the total ban of conversions was just temporary measure
which should be lifted once the individual CVEs were resolved. I believe both
upstream and other distros already lifted it.


I am just writing this, so you are aware of this. I don't know a solution.


In decreasing order:
- Can't you just file suse-related bug to remove the ban?
- Can't you pull/set different IM config iff lyx is installed?
- Can't you trigger some message if lyx is installed so user is at least know
   how to fix it.

If nothing of this work, we could add some note to our release notes
that users of open suse need to fix IM settings.

Pavel



The following message describes the situation for openSUSE Leap 15.0, 
but it is also true for 15.1 and Tumbleweed:


https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00010.html

In short: the user can install an alternative configuration for IM that 
enables postscript related stuff (and other things), following upstream 
IM setting. The default SUSE setting are very strict.


I have added a README.SUSE to the package and refer to that in the 
description that explains the situation and tells the user the options 
he has. It has been discussed on the openSUSE Factory mailinglist, but 
the suggestion how to inform users is what I have done. See:


https://build.opensuse.org/request/show/713564

I came accross this because a bug was filed that eps preview was not 
working. This is not really my area of expertise. As far as I can see, 
the situation in (open)SUSE will remain as it is. This means the user 
either installs an alternative configuration for ImageMagick, or edits 
security pollicy settings for IM manually.


In general postscript does not work out of the box on openSUSE for 
security reasons nowadays, but the user can enable this by installing 
additional packages.


I hope this give enough information. There is not much more that can be 
done. Maybe this information can be added to the LyX wiki also?


Kind regards,

Cor

Re: ImageMagick security settings in openSUSE

[Pavel Sanda]

On Wed, Jul 03, 2019 at 03:43:06PM +0200, Cor Blom wrote:
> Dear LyX devs,
>
> Because of the following bug
>
> https://bugzilla.opensuse.org/show_bug.cgi?id=1139928
>
> I have become aware of the strict security settings in openSUSE which 
> limits capabilities of ImageMagick. There is an alternative setting that 
> the user can activate, but most users will not know this.

Is this security measure sideeffect of ghostscript problems from last september?

As far as I understood the total ban of conversions was just temporary measure
which should be lifted once the individual CVEs were resolved. I believe both
upstream and other distros already lifted it.

> I am just writing this, so you are aware of this. I don't know a solution.

In decreasing order:
- Can't you just file suse-related bug to remove the ban?
- Can't you pull/set different IM config iff lyx is installed?
- Can't you trigger some message if lyx is installed so user is at least know
  how to fix it.

If nothing of this work, we could add some note to our release notes
that users of open suse need to fix IM settings.

Pavel