NetBSD Problem Report #58113
From www@netbsd.org Thu Apr 4 18:22:48 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 117571A9239
for <gnats-bugs@gnats.NetBSD.org>; Thu, 4 Apr 2024 18:22:48 +0000 (UTC)
Message-Id: <20240404182246.A05331A923B@mollari.NetBSD.org>
Date: Thu, 4 Apr 2024 18:22:46 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: cmake depends on curl and may use build-time network access
X-Send-Pr-Version: www-1.0
>Number: 58113
>Category: pkg
>Synopsis: cmake depends on curl and may use build-time network access
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Apr 04 18:25:00 +0000 2024
>Last-Modified: Thu Apr 04 21:55:01 +0000 2024
>Originator: Taylor R Campbell
>Release: current
>Organization:
The NetBS CMake Featurecreepyation
>Environment:
>Description:
cmake pulls in a curl dependency, which there is no reason for any build tool to ever have:
# $NetBSD: Makefile,v 1.215 2023/11/19 17:16:27 adam Exp $
...
.include "../../www/curl/buildlink3.mk"
The commit message on devel/cmake/Makefile rev. 1.27 claims:
Author: wiz <wiz@pkgsrc.org>
Date: Fri Feb 23 11:48:18 2007 +0000
Update to 2.4.6:
...
* Allow installed zlib, curl, expat, xmlrpc to be used.
It's not clear whether this is the _only_ reason cmake brings in a curl dependency. Apparently cmake also by design does network access at build time:
https://cmake.org/cmake/help/latest/module/FetchContent.html
We should fix cmake to disable this design mistake so it
(a) doesn't bring in a curl dependency, and
(b) never even thinks about attempting network access.
>How-To-Repeat:
1. code inspection
2. build curl with brotli option
>Fix:
throw out cmake and start over
>Audit-Trail:
From: Thomas Klausner <wiz@NetBSD.org>
To: NetBSD bugtracking <gnats-bugs@NetBSD.org>
Cc:
Subject: Re: pkg/58113: cmake depends on curl and may use build-time network
access
Date: Thu, 4 Apr 2024 23:23:33 +0200
On Thu, Apr 04, 2024 at 06:25:00PM +0000, campbell+netbsd@mumble.net wrote:
> We should fix cmake to disable this design mistake so it
>
> (a) doesn't bring in a curl dependency, and
> (b) never even thinks about attempting network access.
It's an upstream feature that people might expect to have.
I have no problem with an option that you can turn off if you want,
and pkgsrc disabling it at build time, but we shouldn't limit what
people use cmake (installed by pkgsrc) for outside of pkgsrc.
Thomas
From: Taylor R Campbell <riastradh@NetBSD.org>
To: Thomas Klausner <wiz@NetBSD.org>
Cc: gnats-bugs@NetBSD.org, pkg-manager@NetBSD.org, gnats-admin@NetBSD.org,
pkgsrc-bugs@NetBSD.org
Subject: Re: pkg/58113: cmake depends on curl and may use build-time network
access
Date: Thu, 4 Apr 2024 21:50:32 +0000
> Date: Thu, 4 Apr 2024 21:25:01 +0000 (UTC)
> From: Thomas Klausner <wiz@NetBSD.org>
>=20
> On Thu, Apr 04, 2024 at 06:25:00PM +0000, campbell+netbsd@mumble.net wrot=
e:
> > We should fix cmake to disable this design mistake so it
> >=20
> > (a) doesn't bring in a curl dependency, and
> > (b) never even thinks about attempting network access.
> =20
> It's an upstream feature that people might expect to have.
>=20
> I have no problem with an option that you can turn off if you want,
> and pkgsrc disabling it at build time, but we shouldn't limit what
> people use cmake (installed by pkgsrc) for outside of pkgsrc.
Maybe it's useful for users to run outside of pkgsrc (seems extremely
dubious to me, like a feature for decompressing an exploit payload in
configure), but for use inside pkgsrc it violates policy about network
access during builds.
So we should either:
(a) have an alternate package, say devel/cmake-local or
devel/cmake-no-stupid-network-in-builds or whatever, and use that
in pkgsrc for packages that are built with cmake (or rename the
current one to devel/cmake-with-network-misfeatures); or
(b) if not that, then find some way to disable any use of the network
features when we invoke cmake in pkgsrc, like we do with meson
(--wrap-mode=3Ddownload). (I thought we also did this with pip
(PIP_ISOLATED=3D1, PIP_NO_DEPS=3D1, PIP_NO_INDEX=3D1, PIP_PROXY=3D0.0.0=
.0,
&c.) and flit (FLIT_NO_NETWORK=3D1), but I can't find those now.)
(Obviously it would also be ideal to block network access in the bulk
build environment, too, but that serves more for detecting abuse of
the build system than for configuring the build system to behave.)
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home