| Summary: | media-tv/plex-media-server: need py3 port | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Michał Górny <mgorny> |
| Component: | Current packages | Assignee: | Stephen Shkardoon <ss23> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | diazona, gentoo, matt, pacho, proxy-maint, treecleaner, turtle |
| Priority: | Normal | Keywords: | PMASKED |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=769782 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 694800 | ||
| Deadline: | 2020-10-20 | ||
| Attachments: |
Updated ebuild
Updated start_pms |
||
|
Description
Michał Górny
2020-08-02 14:34:39 UTC
Upstream has signaled an intention to rewrite security relevant parts of the package in compiled languages rather than Python, but expects some parts to remain Python 2 for some time: https://forums.plex.tv/t/when-will-plex-media-server-shift-to-python-3/600689/7 ping. Ping. Do we really want to keep it with all the bundled stuff, given it's a security nightmare? Ok, this one's a major blocker right now, so I'm going to lastrite it. If you can update the ebuild to 1) stop bundling python, and use system python2.7 instead, and 2) use virtualenv from python3 (i.e. call it with '--py 2.7'), it can stay for a while more. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=857156073762108cd2ad224ee9d2d48a613ca1db commit 857156073762108cd2ad224ee9d2d48a613ca1db Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-09-20 13:36:48 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-09-20 13:37:06 +0000 package.mask: Last rite media-tv/plex-media-server Bug: https://bugs.gentoo.org/735396 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 7 +++++++ 1 file changed, 7 insertions(+) Upstream has responded (https://forums.plex.tv/t/when-will-plex-media-server-shift-to-python-3/600689/17) that - their bundled libpython.so.1.0 is subject to modifications including security patches by Plex staff (https://forums.plex.tv/t/when-will-plex-media-server-shift-to-python-3/600689/11) - by only bundling libpython2.7.so.1.0 and not the interpreter, they don't see as big of a security impact - a patch removing python2.7 entirely can currently not be expected before 2020-10-20 - removal of existing python2.7 functionality is actively worked on (as stated before), however no timeline has been given On a side note, I've tried replacing the bundled libpython2.7.so.1.0 from PMS with the one from dev-lang/python-2.7.18-r2 just to see if that would be an intermediate workaround. The result was mixed: the service would start and some core functions (movie playback) work, but some settings/admin pages would not load (unexpectedly) and some file scanners wouldn't work (as mentioned by upstream). Created attachment 662038 [details]
Updated ebuild
Created attachment 662041 [details]
Updated start_pms
Hi Michał: I've attached an ebuild and start script that uses the system python 2.7. I've added lxml and simplejson as dependencies and removed virtualenv. As far as I can tell, they were the only additional libraries used by the virtualenv. There are two binaries that set the env variable PYTHONHOME before running scripts, which needs to prevented. I used sed on the binaries so that it sets an env variable called PYTHONZZZZ instead, which won't be used. Is there a better way to do that? With these changes, things are all working as far as I can tell. Server settings, adding new media, and streaming are working. I just noticed this while updating my HTPC today. https://github.com/comio/plex-overlay/pull/14 I would welcome any suggestions and collaboration. It's not perfect yet, but I think we're going in the right direction. No matter what we do, Plex isn't going to be friendly to package: - It's commercial software - They bundle *all* of their dependencies - They patch some of those dependencies - They don't release those patches - Failing to use their patched dependencies will cause instability I believe the only way forward is to treat Plex like a black box. Let it do it's own thing and stop fighting it. Wash our hands of responsibility for the safety of Plex's dependencies (and Plex itself). To clarify one point before there's any more confusion. I don't actually have any issue with the lastrites on this. The problems still exist and they're valid, even with a new ebuild. It won't be to the same standards as the rest of the tree. With that said, I think this is popular and useful enough (disappointingly, with no open source alternative) that we ought to at least have a overlay package for this in good shape. Upstream has indicated strongly against removing the bundled libraries, so even if we could get it working properly, I don't think it would be appropriate for us to continue down such a path. Every new version is a chance for more changes that we can support, along with more testing that would need to be done to ensure they haven't broken anything. There is a third party repo (comio's) which lets users install it if they wish to take on the security and maintenance burden. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cfd7cc6044812d7b3b2efb1495247b72787dc6f5 commit cfd7cc6044812d7b3b2efb1495247b72787dc6f5 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-10-20 15:47:57 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-10-20 15:52:25 +0000 media-tv/plex-media-server: Remove last-rited pkg Closes: https://bugs.gentoo.org/735396 Signed-off-by: Michał Górny <mgorny@gentoo.org> media-tv/plex-media-server/Manifest | 10 -- .../add_gentoo_profile_as_platform_version.patch | 12 -- .../files/conf.d/plex-media-server | 7 -- .../plex-media-server/files/etc-plexmediaserver | 23 ---- .../files/init.d/plex-media-server | 20 --- .../files/plexmediamanager.desktop.new.patch | 8 -- .../files/plexmediaserver.service.patch | 12 -- media-tv/plex-media-server/files/start_pms | 50 -------- .../files/systemd/plex-media-server.service | 11 -- .../files/virtualenv_start_pms_2019.patch | 12 -- media-tv/plex-media-server/metadata.xml | 12 -- .../plex-media-server-1.18.3.ebuild | 138 -------------------- .../plex-media-server-1.18.4-r1.ebuild | 137 -------------------- .../plex-media-server-1.19.1.ebuild | 140 --------------------- .../plex-media-server-1.19.2.ebuild | 140 --------------------- .../plex-media-server-1.19.5.ebuild | 140 --------------------- profiles/package.mask | 7 -- 17 files changed, 879 deletions(-) Package was removed in error, please reopen this bug. As P this package does not block or depend on py3-tracker, python-3-incompatible Plex does not depend on any system Python and has no documented specific security CVE. 1.) There is no Gentoo policy to ban packages that use any specific version of a language that is fully contained within its internal libraries. 2.) There are no currently documented security 'nightmares' for the average Gentoo user running Plex. Plex has many active devs and responds to even the slightest security holes quickly: https://www.tenable.com/blog/tenable-research-discloses-multiple-vulnerabilities-in-plex-media-server All other linux distros still support Plex. |