Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1350123
Summary: | Python 3.5 is being built with the getrandom() syscall disabled | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nick Coghlan <ncoghlan> |
Component: | python3 | Assignee: | Tomas Orsava <torsava> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 24 | CC: | bkabrda, cstratak, mhroncok, pviktori, rkuska, tomspur, torsava |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | python3-3.5.1-17.fc24 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-09-23 16:19:18 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1293703 |
Description
Nick Coghlan
2016-06-25 20:05:19 UTC
Upstream query regarding this behaviour where the getrandom() syscall being missing at build time means it isn't tried at runtime either: https://mail.python.org/pipermail/security-sig/2016-June/000060.html If we hard-code enable it on Fedora builds, could that be dangerous? I.e. can we say that on Fedora is should *always* be enabled? Or should we focus on run-time querying? (In reply to Miro Hrončok from comment #2) > If we hard-code enable it on Fedora builds, could that be dangerous? I.e. > can we say that on Fedora is should *always* be enabled? Or should we focus > on run-time querying? After giving it a bit thinking, I guess Fedora can be run in a container on any kernel (including the one that is used on Koji), so run-time check is a must. Python 3.5 does check at runtime. It only needs SYS_getrandom and GRND_NONBLOCK constants. More specifically, the configure script reports "checking for the Linux getrandom() syscall... no", which would mean the C code for checking HAVE_GETRANDOM_SYSCALL doesn't build & run: https://paste.fedoraproject.org/385405/22064146/ Hm, Miro tells me it does run. So I'd guess the problem is somewhere in the config machinery. Interestingly, by itself the SYS_getrandom syscall actually works on the Koji builder. Task: http://koji.fedoraproject.org/koji/taskinfo?taskID=14672074 Log: https://kojipkgs.fedoraproject.org//work/tasks/2074/14672074/build.log Source: https://paste.fedoraproject.org/385449/29814146/ Update: The assumption that the buildtime check for the `getrandom` syscall fails in Koji is false. Here's the latest build of Python 3.5: http://koji.fedoraproject.org/koji/buildinfo?buildID=801062 And here's the oldest, first build of Python 3.5 from a year ago: http://koji.fedoraproject.org/koji/buildinfo?buildID=687298 Both have in their logs (for all architectures): "checking for the Linux getrandom() syscall... yes" I'll try to investigate further. Apologies, the assumption was indeed not false: The build time check fails on builds of Python 3.5.1. However, it succeeds on Python 3.5.0 and 3.5.2 builds, that's why both the builds from my previous message had it succeed. That means that Fedoras 25 and up don't suffer from this issue, as they are already on Python 3.5.2. I'll try to figure out a patch for 3.5.1 so it works in F24 as well. I have made a patch for Fedora 24 (the only affected Fedora version) and verified using strace that it indeed works and Python uses the new `getrandom` sys call. Bodhi will spam this bug shortly. In the patch, I backported the build-time check for the getrandom syscall from Python 3.5.2 to Python 3.5.1 which is in Fedora 24. The build-time check that was there previously had several issues, most importantly it did not include the proper headers. python3-3.5.1-17.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8153676cf1 python3-3.5.1-17.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8153676cf1 python3-3.5.1-17.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. This probably caused bug #1383060 to appear. Tomáš, do you have cycles to help there? I'll look into it. |