Build HDF5 from source in wheels to avoid vulnerablity

philippeVerney · philippeVerney · commit 06783b5bf3ab · 2026-02-13T18:23:59.000+01:00
CI workflow: remove system hdf5-devel install and instead download, configure and build HDF5 2.0.0 from source (cmake configure/build/install) due to distro security/maintenance concerns
diff --git a/.github/workflows/github-actions.yml b/.github/workflows/github-actions.yml
@@ -177,7 +177,19 @@ jobs:
             yum search epel-release &&
             yum info epel-release &&
             yum install -y epel-release &&
-            yum --enablerepo=epel install -y minizip1.2-devel hdf5-devel cmake3 &&
+            yum --enablerepo=epel install -y minizip1.2-devel cmake3 &&
+# RedHat nor Debian maintain security patches for hdf5. We consequently build the latest HDF5 version.We now vuild FESAPI
+            wget --no-verbose https://support.hdfgroup.org/releases/hdf5/v2_0/v2_0_0/downloads/hdf5-2.0.0.tar.gz && 
+            tar -xzf hdf5-2.0.0.tar.gz &&
+            cd hdf5-2.0.0 &&
+            mkdir build &&
+            cd build &&
+            cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE:STRING=Release -DHDF5_ENABLE_ZLIB_SUPPORT:BOOL=ON -DBUILD_SHARED_LIBS:BOOL=OFF -DHDF5_BUILD_FORTRAN:BOOL=OFF -DHDF5_BUILD_JAVA:BOOL=OFF -DHDF5_ENABLE_PARALLEL:BOOL=OFF -DHDF5_BUILD_CPP_LIB:BOOL=OFF -DHDF5_BUILD_HL_LIB:BOOL=OFF -DHDF5_BUILD_EXAMPLES:BOOL=OFF -DHDF5_BUILD_GENERATORS:BOOL=OFF -DHDF5_BUILD_TOOLS:BOOL=OFF -DHDF5_BUILD_UTILS:BOOL=OFF -DBUILD_TESTING:BOOL=OFF .. &&
+            cmake --build . --config Release &&
+            make -j4 &&
+            make install &&
+# Now that all dependencies are installed, we can build FESAPI
+            cd ../.. &&
             mkdir build &&
             cd build &&
             cmake3 -DCMAKE_BUILD_TYPE=Release -DWITH_PYTHON_WRAPPING=TRUE -DCMAKE_INSTALL_PREFIX:STRING=/fesapi-install {project} &&
diff --git a/example/example.cpp b/example/example.cpp
@@ -5786,7 +5786,7 @@ void appendAContinuousProp(const string& filePath)
 }
 
 // filepath is defined in a macro to better check memory leak
-#define filePath u8"../../testingPackageCpp22.epc"
+#define filePath u8"../../testingPackageCpp.epc"
 int main()
 {
 	try {

Original file line number	Diff line number	Diff line change
`@@ -5786,7 +5786,7 @@ void appendAContinuousProp(const string& filePath)`
`5786`	`5786`	`}`
`5787`	`5787`
`5788`	`5788`	`// filepath is defined in a macro to better check memory leak`
`5789`		`-#define filePath u8"../../testingPackageCpp22.epc"`
	`5789`	`+#define filePath u8"../../testingPackageCpp.epc"`
`5790`	`5790`	`int main()`
`5791`	`5791`	`{`
`5792`	`5792`	`try {`