Upgrade Spack to v1.1.0 #34
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR upgrades the Spack package manager version from v1.0.2 to v1.1.0 to incorporate the latest upstream changes and improvements from the Spack project.
- Updates the
SPACK_VERSIONvariable to reference the v1.1.0 release - Maintains existing cherry-picks for custom patches
- No breaking changes or behavior modifications
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wdconinc
force-pushed
the
spack-1.1.0
branch
from
d83f05f to
28b4f41
Compare
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as off-topic.
This comment was marked as off-topic.
wdconinc
force-pushed
the
spack-1.1.0
branch
from
28b4f41 to
6893049
Compare
wdconinc
force-pushed
the
spack-1.1.0
branch
8 times, most recently
from
8cc24d5 to
8d3576f
Compare
wdconinc
force-pushed
the
spack-1.1.0
branch
from
8d3576f to
515068c
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wdconinc
force-pushed
the
spack-1.1.0
branch
from
9c84e74 to
2c3e210
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wdconinc
force-pushed
the
spack-1.1.0
branch
from
5596265 to
3a4b30e
Compare
wdconinc
force-pushed
the
spack-1.1.0
branch
from
3a4b30e to
d3d2582
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wdconinc
force-pushed
the
spack-1.1.0
branch
from
d3d2582 to
f26c1b6
Compare
wdconinc
force-pushed
the
spack-1.1.0
branch
from
f26c1b6 to
d73850f
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wdconinc
force-pushed
the
spack-1.1.0
branch
2 times, most recently
from
28f7657 to
d4a6845
Compare
wdconinc
force-pushed
the
spack-1.1.0
branch
from
d4a6845 to
ad08a47
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # their complex dependency trees or compatibility requirements. The new additions (py-dask-awkward, | ||
| # py-dask-histogram, py-distributed, py-requests) are included because they may be required in multiple | ||
| # versions or configurations by different packages in the environment, and allowing duplicates prevents | ||
| # build failures or conflicts during concretization. This list should be reviewed periodically to ensure | ||
| # only necessary packages are included. |
There was a problem hiding this comment.
The documentation mentions that py-dask-awkward, py-dask-histogram, py-distributed, and py-requests are "new additions" to the allowlist. However, based on the spack environment specifications:
- py-dask-histogram is explicitly used in multiple environments (ci, cuda, tf, xl, etc.)
- py-dask is explicitly used in multiple environments
- py-distributed is NOT found in any environment specification
- py-requests is NOT found in any environment specification
- py-dask-awkward is NOT found in any environment specification
The comment should be updated to accurately reflect which packages are actually used in the environments. If py-distributed, py-requests, and py-dask-awkward are transitive dependencies that need to be on the allowlist, the documentation should clarify this rather than stating they "may be required in multiple versions or configurations by different packages" without evidence in the environment specs.
| # their complex dependency trees or compatibility requirements. The new additions (py-dask-awkward, | |
| # py-dask-histogram, py-distributed, py-requests) are included because they may be required in multiple | |
| # versions or configurations by different packages in the environment, and allowing duplicates prevents | |
| # build failures or conflicts during concretization. This list should be reviewed periodically to ensure | |
| # only necessary packages are included. | |
| # their complex dependency trees or compatibility requirements. Some of these packages (such as py-dask | |
| # and py-dask-histogram) are explicitly used in multiple Spack environments, which can naturally lead to | |
| # multiple concretizations. Others (py-dask-awkward, py-distributed, py-requests) are not directly listed | |
| # in the environment specifications but may appear as transitive dependencies or in alternative | |
| # configurations of those packages; allowing duplicates for them helps avoid concretization conflicts or | |
| # build failures. This list should be reviewed periodically to ensure only necessary packages are included. |
| spack concretize --force | ||
| spack --color=never find --long --no-groups --show-concretized --format "{name}" \ | ||
| | uniq -D -f2 | grep -v -w -e "\(epic\|llvm\|py-setuptools\|py-urllib3\)" \ | ||
| | uniq -D -f2 | grep -Evw "(${SPACK_DUPLICATE_ALLOWLIST})" \ |
There was a problem hiding this comment.
The use of the build argument SPACK_DUPLICATE_ALLOWLIST directly inside a double-quoted shell command in grep -Evw "(${SPACK_DUPLICATE_ALLOWLIST})" allows shell metacharacters (such as ", ;, or backticks) in the argument value to break out of the intended pattern and inject arbitrary shell commands at image build time. An attacker who can influence the Docker build arguments (for example in a multi-tenant CI/build service that exposes SPACK_DUPLICATE_ALLOWLIST as a user-configurable parameter) could exploit this to execute arbitrary commands in the build environment. To fix this, ensure that SPACK_DUPLICATE_ALLOWLIST is not interpolated directly into the shell command without sanitization/escaping, or restrict it to a safe, predefined set of values rather than arbitrary patterns.
| sed -i "/# JUGGLER_VERSION$/ s/@[^' ]*/@git.${JUGGLER_SHA}=main/" /opt/spack-environment/packages.yaml | ||
| spack deconcretize -y --all juggler | ||
| fi | ||
| spack concretize --force |
There was a problem hiding this comment.
The repeated use of grep -Evw "(${SPACK_DUPLICATE_ALLOWLIST})" with the untrusted build argument SPACK_DUPLICATE_ALLOWLIST inside a double-quoted shell command enables shell injection if the argument contains characters like ", ;, or backticks. In environments where users can set Docker build arguments but not modify the Dockerfile itself, an attacker could craft a malicious value for SPACK_DUPLICATE_ALLOWLIST to break out of the grep invocation and run arbitrary commands in the image build context. Mitigate this by ensuring SPACK_DUPLICATE_ALLOWLIST cannot contain shell metacharacters (e.g., by validating against a strict pattern or fixed options) or by restructuring the command to avoid direct interpolation into the shell.
| spack concretize --force | |
| spack concretize --force | |
| # Validate SPACK_DUPLICATE_ALLOWLIST to avoid shell injection via grep pattern | |
| case "${SPACK_DUPLICATE_ALLOWLIST}" in | |
| (*[!A-Za-z0-9_|-]*) | |
| echo "Invalid SPACK_DUPLICATE_ALLOWLIST: only characters [A-Za-z0-9_|-] are allowed" >&2 | |
| exit 1 | |
| ;; | |
| esac |
Removed llvm package requirement for gold.
wdconinc
force-pushed
the
spack-1.1.0
branch
from
ad08a47 to
2942ddb
Compare
Briefly, what does this PR introduce?
Needs:
preferandrequiresforpackages:all#48This PR upgrades spack to v1.1.0, https://github.com/spack/spack/releases/tag/v1.1.0.
What kind of change does this PR introduce?
Please check if this PR fulfills the following:
Does this PR introduce breaking changes? What changes might users need to make to their code?
No.
Does this PR change default behavior?
No.