Enable Ruff rule family "N" and "S"

[DanielYang59]

Summary

Follow up #3871:

• Enable Ruff rule family "N", fix violation of NPY002 (the use of legacy np.random)

  NumPy recommends using a dedicated Generator instance rather than the random variate generation methods exposed directly on the random module, as the new Generator is both faster and has better statistical properties.

• Enable Ruff rule family "S", for security related checks.
• Replace standard lib random with np.random

[DanielYang59]

Commit 26ccb85 need careful confirmation and discussion.

Ruff rule S607 prevents "partial executable path (relative path)" which might be hijacked by modifying the PATH.

However I'm concerned about the consistency of absolute paths for these binaries across different OS, as I'm not 100% sure they would reside in the same position.

Also applying this fix avoids the PATH being searched altogether (losing the flexibility to put binary at any dir in PATH), perhaps we want to ignore this rule instead?

[janosh]

pinging @mkhorton to let you know @DanielYang59 switched to a new hash algo for the VASP input sets (presumably recommended by some ruff rule?) and updated the known_hashes accordingly

[DanielYang59]

Yes #3892 (comment)

The primary vulnerability of SHA-1 is its collision resistance, which means that it is possible to find two different messages that produce the same hash value.

[janosh]

not sure we can hard-code /usr/bin/tar here. leaving it at tar will search everything on the user's path, not just 1 directory

[DanielYang59]

I was quite concerned about these changes as well (the absolute path consistency across different OS), #3892 (comment), as security is not a core concern for pymatgen (probably?). Explicitly using the absolute path could avoid PATH hijacking

[DanielYang59]

@janosh I'm still pretty concerned about commit 26ccb85 which includes using the absolute path for the following:

• /usr/bin/gunzip
• /usr/bin/gzip
• /usr/bin/make
• /usr/bin/tar
• /bin/cp

There are pretty basic packages but owing to the huge diversities of Linux distro, I'm unsure if there would be any exception. According to ChatGPT 4o:

the Filesystem Hierarchy Standard (FHS) provides guidelines and standards for directory structures and file placements in Unix-like operating systems, including Linux. The FHS is maintained by the Linux Foundation.

Here are some relevant points from the FHS regarding the locations of these binaries:

/bin: This directory contains essential command binaries that are required for single-user mode and for all users (e.g., cp, ls, cat).

/usr/bin: This directory contains the majority of user commands. Binaries that are not essential for system boot or repair but are intended for use by all users are placed here. This includes binaries like gzip, gunzip, make, and tar.

It should be quite safe IMO.

[DanielYang59]

@rkingsbury Can I get some confirmation on this change please, thanks:)

1. I didn't see double quotes being used here, so I assume it's safe to remove this note. (The other note at line 172 is valid)
2. I believe it's safe to remove the black tag fmt: on/off here? As I'm not seeing pre-commit formatting this file here (running black directly would indeed wrap some lines, but we're not replying on black being the formatter).

[janosh]

this was probably carelessly refactored by me at some point as !r results in single quotes. thanks for pointing this out. let's go back to what i think was the original state

f'structure "{fname}"\n'

[rkingsbury]

At the time I added this, packmol was VERY pecuiliar about things like single vs. double quotes in the input file. I believe I opened an issue about it at the time, and they fixed the behavior to be a little less finicky. In principle as long as the packmol unit tests pass I think we should be OK, but it might be wise to see if someone can do some additional manual testing as well.

[DanielYang59]

Thanks a lot for the additional input and confirmation. And ping me at anytime if anything doesn't look right, thanks!

[janosh]

thanks @DanielYang59! 👍