Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 223077 (vartexfonts) - [TRACKER] Set VARTEXFONTS=${T}/fonts to prevent sandbox violations
Summary: [TRACKER] Set VARTEXFONTS=${T}/fonts to prevent sandbox violations
Status: CONFIRMED
Alias: vartexfonts
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Andrey Grozin
URL:
Whiteboard:
Keywords: Tracker
Depends on: 652010 652014 652016 652022 652030 652034 652036 555078 652002 652004 652006 652008 652012 652018 652020 652024 652026 652028 652038
Blocks:
  Show dependency tree
 
Reported: 2008-05-21 15:32 UTC by Andrey Grozin
Modified: 2018-09-24 10:30 UTC (History)
14 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Grozin gentoo-dev 2008-05-21 15:32:50 UTC
Many packages run latex (or pdflatex or something similar) when emerged, to compile their documentation (often with USE=doc). If a font is encountered which happens to be absent in /var/cache/fonts, metafont is called to generate it. If VARTEXFONTS is not set, this will lead to a sandbox violation (unless addwrite /var/cache/fonts is used). This was discussed in http://groups.google.com/group/linux.gentoo.dev/browse_thread/thread/bf2e58fe200c0676/b72be3596cd2eb31 and http://groups.google.com/group/linux.gentoo.dev/browse_thread/thread/1d67f8155c62098f#
Typically, an ebuild says something like

emake docs

All such cases should be changed to something like

VARTEXFONTS="${T}"/fonts emake docs

Here is a list of packages. There might be some false positives; if your package does not call latex (or pdflatex or ...) at the build time, please, ignore this bug.

app-backup@gentoo.org, wschlich@gentoo.org:
app-backup/bacula

emacs@gentoo.org, python@gentoo.org:
app-emacs/pymacs

emacs@gentoo.org, common-lisp@gentoo.org:
app-emacs/slime

cjk@gentoo.org:
app-i18n/canna

shell-tools@gentoo.org:
app-misc/tdl
[with USE=doc, dvi, ps, and pdf docs are installed, all gzipped.
Isn't this too much? pdf should not be bzip2ed]

kernel-misc@gentoo.org:
app-misc/fdutils

ada@gentoo.org:
dev-ada/xmlada
dev-ada/asis-gcc
dev-ada/asis-gpl

haskell@gentoo.org
dev-util/bnfc
[here dodoc is used to install a .pdf, and hence it's bzipped - not a good idea]

haskell@gentoo.org, tex@gentoo.org:
dev-haskell/lhs2tex
[here a .pdf file is installed using dodoc, and hence will be bzip2ed - not a goog idea]

ml@gentoo.org:
dev-lang/mlton

maintainer-needed@gentoo.org:
dev-lang/mmix
dev-libs/beecrypt

dev-util/ragel
[it's better to use insinto/doins for .pdf files]

vapier@gentoo.org:
dev-libs/libtomcrypt

common-lisp@gentoo.org:
dev-lisp/gcl
dev-lisp/cl-cffi
dev-lisp/cl-cgi-utils

dev-lisp/cl-xml-psychiatrist
[here latex is called directly; is 1 time enough? Also, .pdf is installed bzipped - better not to do this]

dev-lisp/cl-tclink
[here the only place where the doc USE flag is used is commented out. Then there is no need in this USE flag...]

tcltk@gentoo.org:
dev-tcltk/tkzinc

dev-embedded@gentoo.org:
dev-tinyos/tos

haskell@gentoo.org
dev-util/bnfc

games@gentoo.org:
games-board/freedoko

sound@gentoo.org:
media-sound/musescore
[doc USE flag never used???]

video@gentoo.org, media-video@gentoo.org:
media-video/dirac

netmon@gentoo.org, anant@gentoo.org:
net-analyzer/ns
[.pdf installed by dodoc and hence bzipped - not good]

netmon@gentoo.org:
net-analyzer/sonar

net-dialup@gentoo.org
net-dialup/mgetty
[here font generation is suppressed; better set VARTEXFONTS and not do this]

sci-biology@gentoo.org:
sci-biology/wise
[here .ps docs are installed unconditionally; it would be better to use the USE flag doc. Also, before latex and dvips, export VARTEXFONTS=...]

sci@gentoo.org:
sci-libs/netcdf
sci-libs/pgplot
sci-misc/gri
sci-misc/nco

sci-mathematics@gentoo.org:
sci-mathematics/axiom
sci-mathematics/ginac
sci-mathematics/nusmv

robbat2@gentoo.org:
sys-block/btrace

hp-cluster@gentoo.org, kanaka@gentoo.org:
sys-cluster/mpich2

markusle@gentoo.org:
sys-cluster/charm

base-system@gentoo.org, tantive@gentoo.org:
sys-power/apcupsd

mobile@gentoo.org, genstef@gentoo.org:
sys-power/powersave
Comment 1 Ulrich Müller gentoo-dev 2008-05-21 17:53:19 UTC
> emacs@gentoo.org, python@gentoo.org:
> app-emacs/pymacs

> emacs@gentoo.org, common-lisp@gentoo.org:
> app-emacs/slime

Fixed. (False positives? Both are not accessing the font cache, even if it's empty. Anyway, the VARTEXFONTS assignment cannot harm.)
Comment 2 Alexis Ballier gentoo-dev 2008-06-04 23:07:38 UTC
(In reply to comment #0)
> video@gentoo.org, media-video@gentoo.org:
> media-video/dirac

fixed
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2008-06-07 22:54:13 UTC
net-dialup/mgetty has been fixed.
Comment 4 Samuli Suominen gentoo-dev 2008-06-12 17:37:48 UTC
musescore needs doxygen/latex -foo to build documentation it is using at runtime,
and I'm aware it's an automagic dep., but as nothing is linked and system is still functional (no revdep-rebuilding) if you unemerge them after I haven't bothered to patch it out _yet_

but sorry, i'm not adding anything unnecessary to any of my ebuilds (it doesn't fail)

Comment 5 Samuli Suominen gentoo-dev 2008-06-13 18:08:56 UTC
(In reply to comment #4)
> but sorry, i'm not adding anything unnecessary to any of my ebuilds (it doesn't
> fail)

taking that back, adding musescore 0.9.2 with vartexfonts.
Comment 6 mephinet 2008-07-14 16:08:56 UTC
One more package that doesn't ebuild, because of a sandbox violation:

dev-tex/oesch
Comment 7 Alexis Ballier gentoo-dev 2008-08-06 14:52:04 UTC
(In reply to comment #0)
> ml@gentoo.org:
> dev-lang/mlton

done

(In reply to comment #6)
> One more package that doesn't ebuild, because of a sandbox violation:
> 
> dev-tex/oesch

fixed that a while ago but forgot to thank you, so here it is: thanks.

Comment 8 Patrick Kursawe (RETIRED) gentoo-dev 2009-02-13 21:04:21 UTC
sci@gentoo.org should be done.
Comment 9 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-04-13 01:50:36 UTC
btrace is fixed.
Comment 10 Samuli Suominen gentoo-dev 2010-01-13 16:54:28 UTC
genstef/mobile is done (sys-power/powersave isn't in portage anymore)
Comment 11 Sébastien Fabbro (RETIRED) gentoo-dev 2010-01-13 17:01:01 UTC
sci-mathematics done.
Comment 12 dio 2010-05-08 23:39:01 UTC
Please add media-gfx/sane-backends to the list of packages:

 * Messages for package media-gfx/sane-backends-1.0.19-r2:

 * ERROR: media-gfx/sane-backends-1.0.19-r2 failed:
 *   (no error message)
 *
 * Call stack:
 *     ebuild.sh, line  54:  Called src_compile
 *   environment, line 2697:  Called die
 * The specific snippet of code:
 *       emake VARTEXFONTS="${T}/fonts" || die;
 *

# emerge --info
Portage 2.1.8.3 (default/linux/amd64/10.0, gcc-4.3.4, glibc-2.10.1-r1, 2.6.31-gentoo-r10-04 x86_64)                                                    
=================================================================                                                                                      
System uname: Linux-2.6.31-gentoo-r10-04-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P9300_@_2.26GHz-with-gentoo-1.12.13                                         
Timestamp of tree: Thu, 06 May 2010 13:15:02 +0000                                                                                                     
app-shells/bash:     4.0_p37                                                                                                                           
dev-java/java-config: 2.1.10                                                                                                                           
dev-lang/python:     2.5.4-r3, 2.6.4-r1                                                                                                                
dev-util/cmake:      2.6.4-r3                                                                                                                          
sys-apps/baselayout: 1.12.13                                                                                                                           
sys-apps/sandbox:    1.6-r2                                                                                                                            
sys-devel/autoconf:  2.13, 2.63-r1                                                                                                                     
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.3, 1.11.1
sys-devel/binutils:  2.18-r3
sys-devel/gcc:       4.3.4
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O3 -march=core2 -pipe -ggdb"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/fax /usr/share/X11/xkb /usr/share/config /var/spool/fax/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O3 -march=core2 -pipe -ggdb"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms splitdebug strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://gentoo.arcticnetwork.ca/pub/gentoo/ http://gentoo.arcticnetwork.ca/ ftp://mirrors.tera-byte.com/pub/gentoo ftp://mirror.csclub.uwaterloo.ca/gentoo-distfiles/ ftp://mirror.switch.ch/mirror/gentoo/ http://mirror.switch.ch/mirror/gentoo/ "
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="X X509 accessibility acl additions alsa amd64 amr apache2 authdaemond authfile ban bash-completion branding bzip2 cairo calendar cdb cdr cgi cjk cli consolekit context cracklib crypt ctype cups curl curlwrappers cxx dbus deflate dga directfb discard-path diskio dmx doc dri dvd dvdnav dvdr dvipdfm ebook elf emacs encode exif extra extras fam fbcon filter firefox fontconfig fontforge foomaticdb force-cgi-redirect fortran ftp fts3 fuse gadu gcj gd gdbm gif gimp gpg gphoto2 gpm graphics groupwise gstreamer hal hardened hash hfs history hpn iconv idn imagemagick imap imlib inifile ipv6 irc jadetex java java6 jce jms jmx jpeg kde kde4 kdm kerberos konqueror kontact kpathsea lame laptop latex latex3 lcms ldap ldap-sasl lm_sensors logrotate loop-aes mad mmap mmx mng modules mp2 mp3 mp3tunes mpeg mpeg2 mudflap multilib mysql mysqli ncurses nls nptl nptlonly nsplugin odbc ogg omega openexr opengl openmp openntpd openssl opensslcrypt oss pam parse-clocks pcre pdf perl png posix ppds pppd pstricks publishers pulseaudio python qt-static qt3support qt4 quicktime radius raw readline reflection reiserfs rpm rrdcgi rrdtool samba sametime sasl science sdk sdl semantic-desktop sensord session slp smp sms snmp soap sockets softquota spf spl sql sqlite sse sse2 ssl ssse3 stats svg svgz swat symlink sysfs sysvipc tcl tcpd texteffect theora tiff tk truetype unicode usb utempter v4l v4l2 vcd vhosts vorbis wavpack webkit wma wmf wmp xcomposite xetex xhtml xindy xine xinerama xml xmldoclet xmlreader xmlrpc xmlwriter xmp xorg xpm xscreensaver xsl xulrunner xv xvid xvmc yahoo zeroconf zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" SANE_BACKENDS="brother2" USERLAND="GNU" VIDEO_CARDS="intel fbdev" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 13 Samuli Suominen gentoo-dev 2010-11-07 19:11:15 UTC
dev-embedded is done: dev-tinyos/ category was removed from tree (unrelated to this bug)
Comment 14 Sergei Trofimovich gentoo-dev 2012-05-05 17:42:30 UTC
> haskell@gentoo.org
> dev-util/bnfc

Does not call latex.

> [here dodoc is used to install a .pdf, and hence it's bzipped - not a good idea]

Not an issue anymore as well.
Comment 15 Naohiro Aota gentoo-dev 2012-05-17 05:31:55 UTC
> cjk@gentoo.org:
> app-i18n/canna

Fixed.
Comment 16 Sergey Popov gentoo-dev 2012-09-30 06:59:44 UTC
Both net-analyzer/ns and net-analyzer/sonar was removed from tree, so netmon are done here for now.
Comment 17 Jonas Stein gentoo-dev 2018-03-30 17:40:10 UTC
Changing this ticket to a tracker. We can close it as soon as the last linked ticket is closed.
Comment 18 Sergei Trofimovich gentoo-dev 2018-03-30 18:05:46 UTC
Can you post example canonical fix as a comment here? If such examples exist in tree.
Comment 19 Tupone Alfredo gentoo-dev 2018-04-17 06:18:33 UTC
does not call latex or pdflatex. docs are prebuild
Comment 20 Tupone Alfredo gentoo-dev 2018-04-17 06:19:28 UTC
(In reply to Tupone Alfredo from comment #19)
> does not call latex or pdflatex. docs are prebuild

Sorry wrong place
Comment 21 Jonas Stein gentoo-dev 2018-05-01 08:20:45 UTC
Reassigning the TRACKER to the original poster Andrey.
It would be great to have a link to a wiki page with some explanation for (proxied)maintainers what is exactly wrong and how to fix it.
The wiki page should also answer "How can a dev see, if an ebuild is affected?"