Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gdal: switch to openexr_3 #366939

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

gdal: switch to openexr_3 #366939

wants to merge 1 commit into from
+2 −2

Conversation

autra
Copy link
Contributor

@autra autra commented Dec 20, 2024
edited
Loading

There are several CVEs affecting openexr v2 and it seems to disturb people. As gdal supports openexr v3, let's live in the future and upgrade this dep.

Fix #366916

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 101-500 labels Dec 20, 2024
@ofborg ofborg bot added the 11.by: package-maintainer This PR was created by the maintainer of the package it changes label Dec 21, 2024
@imincik
Copy link
Contributor

imincik commented Dec 21, 2024
edited
Loading

I agree with this change. Thanks for acting on this so quickly @autra . Running nixpkgs-review now.

@LeSuisse
Copy link
Contributor

Flagging as security related.

@LeSuisse LeSuisse added 1.severity: security Issues which raise a security issue, or PRs that fix one backport release-24.11 Backport PR automatically labels Dec 21, 2024
@imincik
Copy link
Contributor

imincik commented Dec 21, 2024

Result of nixpkgs-review pr 366939 run on x86_64-linux 1

15 packages marked as broken and skipped:
  • python311Packages.python-mapnik
  • python311Packages.python-mapnik.dist
  • python311Packages.rio-tiler
  • python311Packages.rio-tiler.dist
  • python311Packages.worldengine
  • python311Packages.worldengine.dist
  • python312Packages.python-mapnik
  • python312Packages.python-mapnik.dist
  • python312Packages.rio-tiler
  • python312Packages.rio-tiler.dist
  • python312Packages.shimmy
  • python312Packages.shimmy.dist
  • python312Packages.worldengine
  • python312Packages.worldengine.dist
  • t-rex
1 package failed to build:
  • apacheHttpdPackages.mod_tile
162 packages built:
  • cloudcompare
  • entwine
  • gdal (python312Packages.gdal)
  • gdalMinimal
  • gmt
  • gplates
  • grass
  • mapcache
  • mapnik
  • mapproxy
  • mapproxy.dist
  • mapserver
  • merkaartor
  • mysql-workbench
  • octavePackages.mapping
  • openorienteering-mapper
  • otb
  • paraview
  • pdal
  • perl538Packages.Tirex
  • perl538Packages.Tirex.devdoc
  • perl540Packages.Tirex
  • perl540Packages.Tirex.devdoc
  • postgresql13JitPackages.postgis
  • postgresql13JitPackages.postgis.doc
  • postgresql13Packages.postgis
  • postgresql13Packages.postgis.doc
  • postgresql14JitPackages.postgis
  • postgresql14JitPackages.postgis.doc
  • postgresql14Packages.postgis
  • postgresql14Packages.postgis.doc
  • postgresql15JitPackages.postgis
  • postgresql15JitPackages.postgis.doc
  • postgresql15Packages.postgis
  • postgresql15Packages.postgis.doc
  • postgresql16JitPackages.postgis
  • postgresql16JitPackages.postgis.doc
  • postgresql16Packages.postgis
  • postgresql16Packages.postgis.doc
  • postgresql17JitPackages.postgis
  • postgresql17JitPackages.postgis.doc
  • postgresql17Packages.postgis
  • postgresql17Packages.postgis.doc
  • python311Packages.bsuite
  • python311Packages.bsuite.dist
  • python311Packages.cartopy
  • python311Packages.cartopy.dist
  • python311Packages.django-bootstrap4
  • python311Packages.django-bootstrap4.dist
  • python311Packages.django-bootstrap5
  • python311Packages.django-bootstrap5.dist
  • python311Packages.drf-extra-fields
  • python311Packages.drf-extra-fields.dist
  • python311Packages.fiona
  • python311Packages.fiona.dist
  • python311Packages.folium
  • python311Packages.folium.dist
  • python311Packages.gdal
  • python311Packages.geoarrow-pandas
  • python311Packages.geoarrow-pandas.dist
  • python311Packages.geoarrow-pyarrow
  • python311Packages.geoarrow-pyarrow.dist
  • python311Packages.geodatasets
  • python311Packages.geodatasets.dist
  • python311Packages.geopandas
  • python311Packages.geopandas.dist
  • python311Packages.geoparquet
  • python311Packages.geoparquet.dist
  • python311Packages.inequality
  • python311Packages.inequality.dist
  • python311Packages.libpysal
  • python311Packages.libpysal.dist
  • python311Packages.mapclassify
  • python311Packages.mapclassify.dist
  • python311Packages.momepy
  • python311Packages.momepy.dist
  • python311Packages.morecantile
  • python311Packages.morecantile.dist
  • python311Packages.msticpy
  • python311Packages.msticpy.dist
  • python311Packages.netbox-documents
  • python311Packages.netbox-documents.dist
  • python311Packages.osmnx
  • python311Packages.osmnx.dist
  • python311Packages.plotnine
  • python311Packages.plotnine.dist
  • python311Packages.pygmt
  • python311Packages.pygmt.dist
  • python311Packages.pyogrio
  • python311Packages.pyogrio.dist
  • python311Packages.rasterio
  • python311Packages.rasterio.dist
  • python311Packages.rioxarray
  • python311Packages.rioxarray.dist
  • python311Packages.shimmy
  • python311Packages.shimmy.dist
  • python311Packages.wktutils
  • python311Packages.wktutils.dist
  • python312Packages.bsuite
  • python312Packages.bsuite.dist
  • python312Packages.cartopy
  • python312Packages.cartopy.dist
  • python312Packages.django-bootstrap4
  • python312Packages.django-bootstrap4.dist
  • python312Packages.django-bootstrap5
  • python312Packages.django-bootstrap5.dist
  • python312Packages.drf-extra-fields
  • python312Packages.drf-extra-fields.dist
  • python312Packages.fiona
  • python312Packages.fiona.dist
  • python312Packages.folium
  • python312Packages.folium.dist
  • python312Packages.geoarrow-pandas
  • python312Packages.geoarrow-pandas.dist
  • python312Packages.geoarrow-pyarrow
  • python312Packages.geoarrow-pyarrow.dist
  • python312Packages.geodatasets
  • python312Packages.geodatasets.dist
  • python312Packages.geopandas
  • python312Packages.geopandas.dist
  • python312Packages.geoparquet
  • python312Packages.geoparquet.dist
  • python312Packages.inequality
  • python312Packages.inequality.dist
  • python312Packages.libpysal
  • python312Packages.libpysal.dist
  • python312Packages.mapclassify
  • python312Packages.mapclassify.dist
  • python312Packages.momepy
  • python312Packages.momepy.dist
  • python312Packages.morecantile
  • python312Packages.morecantile.dist
  • python312Packages.msticpy
  • python312Packages.msticpy.dist
  • python312Packages.netbox-documents
  • python312Packages.netbox-documents.dist
  • python312Packages.osmnx
  • python312Packages.osmnx.dist
  • python312Packages.plotnine
  • python312Packages.plotnine.dist
  • python312Packages.pygmt
  • python312Packages.pygmt.dist
  • python312Packages.pyogrio
  • python312Packages.pyogrio.dist
  • python312Packages.rasterio
  • python312Packages.rasterio.dist
  • python312Packages.rioxarray
  • python312Packages.rioxarray.dist
  • python312Packages.wktutils
  • python312Packages.wktutils.dist
  • pytrainer
  • pytrainer.dist
  • qgis
  • qgis-ltr
  • qmapshack
  • saga
  • sumo
  • survex
  • therion
  • tunnelx
  • udig
  • vpv

imincik
imincik approved these changes Dec 22, 2024
View reviewed changes
Copy link
Contributor

@imincik imincik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. nixpkgs-review is passing .

@imincik
Copy link
Contributor

imincik commented Dec 22, 2024
edited
Loading

I think, even more correct solution would be to update default openexr version from 2 to 3 . But that's much bigger task.

@autra autra marked this pull request as ready for review December 22, 2024 16:26
@autra
Copy link
Contributor Author

autra commented Dec 22, 2024

I think, even more correct solution would be to update default openexr version from 2 to 3 . But that's much bigger task.

Indeed. Should v2 be marked as insecure? (can we affort that?) It's a bit above my paygrade but some of these CVEs seems quite serious. Someone more knowledgeable in security should check though :-)

@autra autra mentioned this pull request Dec 22, 2024
Draft
13 tasks
@autra
Copy link
Contributor Author

autra commented Dec 22, 2024

I've opened a followup: #367406 for the rest of the packages.

@imincik
Copy link
Contributor

imincik commented Dec 23, 2024

I think, even more correct solution would be to update default openexr version from 2 to 3 . But that's much bigger task.

Indeed. Should v2 be marked as insecure? (can we affort that?) It's a bit above my paygrade but some of these CVEs seems quite serious. Someone more knowledgeable in security should check though :-)

Make a sense to mark v2 as insecure.

@wegank wegank added 12.approvals: 1 This PR was reviewed and approved by one reputable person 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in the package labels Dec 23, 2024
@LeSuisse
Copy link
Contributor

LeSuisse commented Dec 24, 2024
edited
Loading

I think, even more correct solution would be to update default openexr version from 2 to 3 . But that's much bigger task.

Indeed. Should v2 be marked as insecure? (can we affort that?) It's a bit above my paygrade but some of these CVEs seems quite serious. Someone more knowledgeable in security should check though :-)

Before we can remove it, it would probably make sense to move all the packages currently using openexr 2 to openexr_3, then mark openexr 2 with knownVulnerabilities. This should allow us to backport the changes to stable without breakages (hopefully...). Then if we have no more dependents we can remove openexr_2 completely.
Note that moving some of the packages to openexr_3 will need to go through staging (e.g. gst_all_1.gst-plugins-bad)

@autra
Copy link
Contributor Author

autra commented Dec 24, 2024

Note that moving some of the packages to openexr_3 will need to go through staging (e.g. gst_all_1.gst-plugins-bad)

And actually I guess this PR should go to staging too.

@autra autra changed the base branch from master to staging December 24, 2024 14:11
@autra
Copy link
Contributor Author

autra commented Dec 24, 2024

I changed the base to staging, and I'm going to do that as well for #367406

@github-actions github-actions bot removed 6.topic: qt/kde 6.topic: kernel The Linux kernel 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 6.topic: rust 6.topic: golang 6.topic: nodejs 6.topic: systemd 6.topic: games 6.topic: llvm/clang Issues related to llvmPackages, clangStdenv and related 6.topic: dotnet Language: .NET labels Dec 30, 2024
@nix-owners
Copy link

nix-owners bot commented Dec 30, 2024

The PR's base branch is set to master, but 254 commits from the staging branch are included. Make sure you know the right base branch for your changes, then:

  • If the changes should go to the staging branch, change the base branch to staging
  • If the changes should go to the master branch, rebase your PR onto the merge base with the master branch: 
    # git rebase --onto $(git merge-base upstream/master HEAD) $(git merge-base upstream/staging HEAD)
git rebase --onto 522470aea5b189aca97e817b6ef3c53dfd1587ef 81932cf82a195a0933a9e9aa7fa70c2d35204d06
git push --force-with-lease

@imincik
Copy link
Contributor

imincik commented Dec 30, 2024

We don't need to go via staging branch for gdal PRs. My nixpkgs-review built 162 packages. Limit for staging is > 500.

@ofborg ofborg bot added 2.status: merge conflict This PR has merge conflicts with the target branch 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 11-100 and removed 2.status: merge conflict This PR has merge conflicts with the target branch 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild 10.rebuild-linux-stdenv This PR causes stdenv to rebuild 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+ labels Dec 30, 2024
@autra
gdal: switch to openexr_3
8112df3 
There are several CVEs affecting openexr v2 and it seems to disturb
people. As gdal supports openexr v3, let's live in the future and
upgrade this dep.

Fix NixOS#366916
@autra autra changed the base branch from staging to master December 31, 2024 15:05
@autra
Copy link
Contributor Author

autra commented Dec 31, 2024

Ok, fair enough, I rebased and switched the base branch back to master.

@autra
Copy link
Contributor Author

autra commented Dec 31, 2024

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 366939

x86_64-linux

⏩ 13 packages marked as broken and skipped:
  • python312Packages.python-mapnik
  • python312Packages.python-mapnik.dist
  • python312Packages.rio-tiler
  • python312Packages.rio-tiler.dist
  • python312Packages.shimmy
  • python312Packages.shimmy.dist
  • python312Packages.worldengine
  • python312Packages.worldengine.dist
  • python313Packages.python-mapnik
  • python313Packages.python-mapnik.dist
  • python313Packages.worldengine
  • python313Packages.worldengine.dist
  • t-rex
❌ 16 packages failed to build:
  • cloudcompare
  • otb
  • postgresql14Packages.postgis
  • postgresql14Packages.postgis.doc
  • python312Packages.django-bootstrap4
  • python312Packages.django-bootstrap4.dist
  • python312Packages.django-bootstrap5
  • python312Packages.django-bootstrap5.dist
  • python312Packages.drf-extra-fields
  • python312Packages.drf-extra-fields.dist
  • python312Packages.netbox-documents
  • python312Packages.netbox-documents.dist
  • python313Packages.drf-extra-fields
  • python313Packages.drf-extra-fields.dist
  • python313Packages.netbox-documents
  • python313Packages.netbox-documents.dist
✅ 105 packages built:
  • apacheHttpdPackages.mod_tile
  • entwine
  • gdal (python312Packages.gdal)
  • gdalMinimal
  • gmt
  • gplates
  • grass
  • mapcache
  • mapnik
  • mapproxy
  • mapproxy.dist
  • mapserver
  • merkaartor
  • mysql-workbench
  • octavePackages.mapping
  • openorienteering-mapper
  • paraview
  • pdal
  • perl538Packages.Tirex
  • perl538Packages.Tirex.devdoc
  • perl540Packages.Tirex
  • perl540Packages.Tirex.devdoc
  • postgresql13JitPackages.postgis
  • postgresql13JitPackages.postgis.doc
  • postgresql13Packages.postgis
  • postgresql13Packages.postgis.doc
  • postgresql14JitPackages.postgis
  • postgresql14JitPackages.postgis.doc
  • postgresql15JitPackages.postgis
  • postgresql15JitPackages.postgis.doc
  • postgresql15Packages.postgis
  • postgresql15Packages.postgis.doc
  • postgresql16JitPackages.postgis
  • postgresql16JitPackages.postgis.doc
  • postgresql16Packages.postgis
  • postgresql16Packages.postgis.doc
  • postgresql17JitPackages.postgis
  • postgresql17JitPackages.postgis.doc
  • postgresql17Packages.postgis
  • postgresql17Packages.postgis.doc
  • python312Packages.bsuite
  • python312Packages.bsuite.dist
  • python312Packages.cartopy
  • python312Packages.cartopy.dist
  • python312Packages.fiona
  • python312Packages.fiona.dist
  • python312Packages.folium
  • python312Packages.folium.dist
  • python312Packages.geoarrow-pandas
  • python312Packages.geoarrow-pandas.dist
  • python312Packages.geoarrow-pyarrow
  • python312Packages.geoarrow-pyarrow.dist
  • python312Packages.geodatasets
  • python312Packages.geodatasets.dist
  • python312Packages.geopandas
  • python312Packages.geopandas.dist
  • python312Packages.geoparquet
  • python312Packages.geoparquet.dist
  • python312Packages.inequality
  • python312Packages.inequality.dist
  • python312Packages.libpysal
  • python312Packages.libpysal.dist
  • python312Packages.mapclassify
  • python312Packages.mapclassify.dist
  • python312Packages.momepy
  • python312Packages.momepy.dist
  • python312Packages.morecantile
  • python312Packages.morecantile.dist
  • python312Packages.msticpy
  • python312Packages.msticpy.dist
  • python312Packages.osmnx
  • python312Packages.osmnx.dist
  • python312Packages.plotnine
  • python312Packages.plotnine.dist
  • python312Packages.pygmt
  • python312Packages.pygmt.dist
  • python312Packages.pyogrio
  • python312Packages.pyogrio.dist
  • python312Packages.rasterio
  • python312Packages.rasterio.dist
  • python312Packages.rioxarray
  • python312Packages.rioxarray.dist
  • python312Packages.wktutils
  • python312Packages.wktutils.dist
  • python313Packages.django-bootstrap4
  • python313Packages.django-bootstrap4.dist
  • python313Packages.django-bootstrap5
  • python313Packages.django-bootstrap5.dist
  • python313Packages.gdal
  • python313Packages.pygmt
  • python313Packages.pygmt.dist
  • python313Packages.pyogrio
  • python313Packages.pyogrio.dist
  • pytrainer
  • pytrainer.dist
  • qgis
  • qgis-ltr
  • qmapshack
  • saga
  • sumo
  • survex
  • therion
  • tunnelx
  • udig
  • vpv

@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Jan 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imincik imincik imincik approved these changes

@dotlambda dotlambda Awaiting requested review from dotlambda

@l0b0 l0b0 Awaiting requested review from l0b0

@nialov nialov Awaiting requested review from nialov

@sikmir sikmir Awaiting requested review from sikmir

@willcohen willcohen Awaiting requested review from willcohen

@MarcWeber MarcWeber Awaiting requested review from MarcWeber

@nh2 nh2 Awaiting requested review from nh2

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: clean-up 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 11-100 11.by: package-maintainer This PR was created by the maintainer of the package it changes 12.approvals: 1 This PR was reviewed and approved by one reputable person backport release-24.11 Backport PR automatically
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

gdal : openexr is EOL. Use openexr_3 instead
4 participants
@autra @imincik @LeSuisse @wegank