diff options
authorSam James <>2023-09-24 02:50:43 +0100
committerSam James <>2023-09-24 02:50:43 +0100
commit643f04360ac6f258d37d6fb5e0c71868a4e0f1c5 (patch)
tree275357e96ede24bf0b79ebedbba2b01e7e44efa1 /media-gfx
parentmedia-gfx/imagemagick: add (w/ USE=hardened) (diff)
media-gfx/imagemagick: add (w/ USE=hardened)
This adds a USE=hardened which sets the new configure arg (added between .15 and .18) called --with-security-policy. It defaults upstream to 'open'. We follow that default for USE=-hardened, but set it to 'limited' for USE=hardened. Bug: Signed-off-by: Sam James <>
Diffstat (limited to 'media-gfx')
2 files changed, 248 insertions, 0 deletions
diff --git a/media-gfx/imagemagick/Manifest b/media-gfx/imagemagick/Manifest
index 83b4155d2ce2..afb3633f3502 100644
--- a/media-gfx/imagemagick/Manifest
+++ b/media-gfx/imagemagick/Manifest
@@ -4,4 +4,5 @@ DIST ImageMagick-6.9.12-93.tar.xz 9261928 BLAKE2B 245ea5bdf49c1d4ca4e0cb34537748
DIST ImageMagick-6.9.12-96.tar.xz 9275248 BLAKE2B 81cad8da2d809d38c0146d54a7a39b75d39ac88138ef504a669aaa8293452baa1a1985568e80e4128e76fb3eded5d7111a45d47eea59b827e652ca5ee1a6396e SHA512 ffdc40d37919ec19ffd47955a39351a3532caca355f73f93bda1577157346a7d8b5727c4c8abddc87262bd9442e1af4ad8aae748a1364c28a407c3fb8c42ffb5
DIST ImageMagick-7.1.1-11.tar.xz 10196156 BLAKE2B 328ffe6dbf30b597ec56f94ab5e74cca553cb47eca244c76b91273c278c097990fb8ed7eeaa22311d4408022808e752cbb4c8775c56b3d64d3a4216487093e9e SHA512 b3c839457b62a6b83d3ab9cf12bda2f41030eed75ae5ff898331ffdfe202a93ea8284c8f8608f4ecd013c7eb0c4cbef6527caff62bcf382d62e8531389628fc3
DIST ImageMagick-7.1.1-15.tar.xz 10200668 BLAKE2B e9910b94d1a47641785cf05b1bfe99f310619aa48d32eb42823b7e83b9be2904e6ebc63965e6eaca2ed1162e6b0055f54bac946602759941a0d20fbf7502bf9d SHA512 afd6216d423a2b8b03727bac089bb83a0fe43c9bfc4c244d4ad5b1c8fa4c3a47be4c7556ef8f008debd0252c7b176c54caddd3c5c8b0ea4f5ca1836943326e8a
+DIST ImageMagick-7.1.1-18.tar.xz 10221468 BLAKE2B 1c4813f9fce578c9389922de5a4dbd8b0d925d1589844e3a3209b1045e03a254801abe9bf8570309b1ac701cb42d62ac497cda77a83efa720cf4cddf3ccec09e SHA512 5e62696089bc4f8510d19862d453d289db82bd6525b31575d61dfcfaf28b28f2d70d87dd4679972e2547380ac6c29520769f74825195ea529c2699be792baffd
DIST ImageMagick-7.1.1-6.tar.xz 10392592 BLAKE2B ed02f36d0014f2699db5df0eb1cf3b18ccbdbee92e3a3bcfb85084672faeb984c6bb27cdf46349768f936ac91ebac744aa00fa3a95fcf1f02a4969f315d2079d SHA512 52aa9aca4d987ee8f2142ce2e192230465399435d0cd7e64683349d0da1f52f2fbd03a2c667605c0c9da66435f84df173c60b7eb93ecada691e801e08dd9fd48
diff --git a/media-gfx/imagemagick/imagemagick- b/media-gfx/imagemagick/imagemagick-
new file mode 100644
index 000000000000..93a5b83426a4
--- /dev/null
+++ b/media-gfx/imagemagick/imagemagick-
@@ -0,0 +1,247 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+QA_PKGCONFIG_VERSION=$(ver_cut 1-3)
+inherit autotools flag-o-matic perl-functions toolchain-funcs
+if [[ ${PV} == 9999 ]] ; then
+ inherit git-r3
+ MY_P="imagemagick-9999"
+ MY_PV="$(ver_rs 3 '-')"
+ MY_P="ImageMagick-${MY_PV}"
+ SRC_URI="mirror://imagemagick/${MY_P}.tar.xz"
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+DESCRIPTION="A collection of tools and libraries for many image formats"
+# Please check this on bumps, SONAME is often not updated! Use abidiff on old/new.
+# If ABI is broken, change the bit after the '-'.
+SLOT="0/$(ver_cut 1-3)-18"
+IUSE="bzip2 corefonts +cxx djvu fftw fontconfig fpx graphviz hardened hdri heif jbig jpeg jpeg2k jpegxl lcms lqr lzma opencl openexr openmp pango perl +png postscript q32 q8 raw static-libs svg test tiff truetype webp wmf X xml zip zlib"
+REQUIRED_USE="corefonts? ( truetype )
+ svg? ( xml )
+ test? ( corefonts )"
+RESTRICT="!test? ( test )"
+ !media-gfx/graphicsmagick[imagemagick]
+ dev-libs/libltdl
+ bzip2? ( app-arch/bzip2 )
+ corefonts? ( media-fonts/corefonts )
+ djvu? ( app-text/djvu )
+ fftw? ( sci-libs/fftw:3.0 )
+ fontconfig? ( media-libs/fontconfig )
+ fpx? ( >=media-libs/libfpx-1.3.0-r1 )
+ graphviz? ( media-gfx/graphviz )
+ heif? ( media-libs/libheif:=[x265] )
+ jbig? ( >=media-libs/jbigkit-2:= )
+ jpeg? ( media-libs/libjpeg-turbo:= )
+ jpeg2k? ( >=media-libs/openjpeg-2.1.0:2 )
+ jpegxl? ( >=media-libs/libjxl-0.6:= )
+ lcms? ( media-libs/lcms:2= )
+ lqr? ( media-libs/liblqr )
+ opencl? ( virtual/opencl )
+ openexr? ( media-libs/openexr:0= )
+ pango? ( x11-libs/pango )
+ perl? ( >=dev-lang/perl-5.8.8:= )
+ png? ( media-libs/libpng:= )
+ postscript? ( app-text/ghostscript-gpl:= )
+ raw? ( media-libs/libraw:= )
+ svg? (
+ gnome-base/librsvg
+ media-gfx/potrace
+ )
+ tiff? ( media-libs/tiff:= )
+ truetype? (
+ media-fonts/urw-fonts
+ >=media-libs/freetype-2
+ )
+ webp? ( media-libs/libwebp:= )
+ wmf? ( media-libs/libwmf )
+ X? (
+ x11-libs/libICE
+ x11-libs/libSM
+ x11-libs/libXext
+ x11-libs/libXt
+ )
+ xml? ( dev-libs/libxml2 )
+ lzma? ( app-arch/xz-utils )
+ zip? ( dev-libs/libzip:= )
+ zlib? ( sys-libs/zlib:= )"
+ X? ( x11-base/xorg-proto )"
+ "${FILESDIR}/${PN}-9999-nocputuning.patch"
+pkg_pretend() {
+ [[ ${MERGE_TYPE} != binary ]] && use openmp && tc-check-openmp
+pkg_setup() {
+ [[ ${MERGE_TYPE} != binary ]] && use openmp && tc-check-openmp
+src_prepare() {
+ default
+ #elibtoolize # for Darwin modules
+ eautoreconf
+ # For testsuite, see
+ local ati_cards mesa_cards nvidia_cards render_cards
+ shopt -s nullglob
+ ati_cards=$(echo -n /dev/ati/card* | sed 's/ /:/g')
+ if test -n "${ati_cards}"; then
+ addpredict "${ati_cards}"
+ fi
+ mesa_cards=$(echo -n /dev/dri/card* | sed 's/ /:/g')
+ if test -n "${mesa_cards}"; then
+ addpredict "${mesa_cards}"
+ fi
+ nvidia_cards=$(echo -n /dev/nvidia* | sed 's/ /:/g')
+ if test -n "${nvidia_cards}"; then
+ addpredict "${nvidia_cards}"
+ fi
+ render_cards=$(echo -n /dev/dri/renderD128* | sed 's/ /:/g')
+ if test -n "${render_cards}"; then
+ addpredict "${render_cards}"
+ fi
+ shopt -u nullglob
+ addpredict /dev/nvidiactl
+src_configure() {
+ local depth=16
+ use q8 && depth=8
+ use q32 && depth=32
+ use perl && perl_check_env
+ [[ ${CHOST} == *-solaris* ]] && append-ldflags -lnsl -lsocket
+ local myeconfargs=(
+ $(use_enable static-libs static)
+ $(use_enable hdri)
+ $(use_enable opencl)
+ $(use_enable openmp)
+ --with-threads
+ --with-modules
+ --with-quantum-depth=${depth}
+ $(use_with cxx magick-plus-plus)
+ $(use_with perl)
+ --with-perl-options='INSTALLDIRS=vendor'
+ --with-gs-font-dir="${EPREFIX}"/usr/share/fonts/urw-fonts
+ $(use_with bzip2 bzlib)
+ $(use_with X x)
+ $(use_with zip)
+ $(use_with zlib)
+ --without-autotrace
+ $(use_with postscript dps)
+ $(use_with djvu)
+ --with-dejavu-font-dir="${EPREFIX}"/usr/share/fonts/dejavu
+ $(use_with fftw)
+ $(use_with fpx)
+ $(use_with fontconfig)
+ $(use_with truetype freetype)
+ $(use_with postscript gslib)
+ $(use_with graphviz gvc)
+ $(use_with heif heic)
+ $(use_with jbig)
+ $(use_with jpeg)
+ $(use_with jpeg2k openjp2)
+ $(use_with jpegxl jxl)
+ $(use_with lcms)
+ $(use_with lqr)
+ $(use_with lzma)
+ $(use_with openexr)
+ $(use_with pango)
+ $(use_with png)
+ $(use_with raw)
+ $(use_with svg rsvg)
+ $(use_with tiff)
+ $(use_with webp)
+ $(use_with corefonts windows-font-dir "${EPREFIX}"/usr/share/fonts/corefonts)
+ $(use_with wmf)
+ $(use_with xml)
+ # Default upstream (as of anyway) is open
+ # For now, let's make USE=hardened do 'limited', and have USE=-hardened
+ # reflect the upstream default of 'open'.
+ #
+ # We might change it to 'secure' and 'limited' at some point.
+ # See also bug #716674.
+ --with-security-policy=$(usex hardened limited open)
+ )
+ CONFIG_SHELL="${BROOT}"/bin/bash econf "${myeconfargs[@]}"
+src_test() {
+ # Install default (unrestricted) policy in $HOME for test suite, bug #664238
+ local _im_local_config_home="${HOME}/.config/ImageMagick"
+ mkdir -p "${_im_local_config_home}" || \
+ die "Failed to create IM config dir in '${_im_local_config_home}'"
+ cp "${FILESDIR}"/policy.test.xml "${_im_local_config_home}/policy.xml" || \
+ die "Failed to install default blank policy.xml in '${_im_local_config_home}'"
+ local im_command= IM_COMMANDS=()
+ if [[ ${PV} == 9999 ]] ; then
+ IM_COMMANDS+=( "magick -version" ) # Show version we are using -- cannot verify because of live ebuild
+ else
+ IM_COMMANDS+=( "magick -version | grep -q -- \"${MY_PV}\"" ) # Verify that we are using version we just built
+ fi
+ IM_COMMANDS+=( "magick -list policy" ) # Verify that policy.xml is used
+ IM_COMMANDS+=( "emake check" ) # Run tests
+ for im_command in "${IM_COMMANDS[@]}"; do
+ eval "${S}"/ \
+ ${im_command} || \
+ die "Failed to run \"${im_command}\""
+ done
+src_install() {
+ # Ensure documentation installation files and paths with each release!
+ emake \
+ DESTDIR="${D}" \
+ DOCUMENTATION_PATH="${EPREFIX}"/usr/share/doc/${PF}/html \
+ install
+ rm -f "${ED}"/usr/share/doc/${PF}/html/{ChangeLog,LICENSE,NEWS.txt}
+ dodoc {AUTHORS,README}.txt
+ if use perl; then
+ find "${ED}" -type f -name perllocal.pod -exec rm -f {} +
+ find "${ED}" -depth -mindepth 1 -type d -empty -exec rm -rf {} +
+ fi
+ find "${ED}" -name '*.la' -exec sed -i -e "/^dependency_libs/s:=.*:='':" {} +
+ # .la files in parent are not needed, keep plugin .la files
+ find "${ED}"/usr/$(get_libdir)/ -maxdepth 1 -name "*.la" -delete || die
+ if use opencl; then
+ cat <<-EOF > "${T}"/99${PN}
+ SANDBOX_PREDICT="/dev/nvidiactl:/dev/nvidia-uvm:/dev/ati/card:/dev/dri/card:/dev/dri/card0:/dev/dri/renderD128"
+ insinto /etc/sandbox.d
+ doins "${T}"/99${PN} #472766
+ fi
+ insinto /usr/share/${PN}
+ doins config/*icm