From mboxrd@z Thu Jan 1 00:00:00 1970 From: Danny Milosavljevic Subject: bug#33300: Automatically detecting binaries in source tarballs Date: Thu, 8 Nov 2018 00:57:01 +0100 Message-ID: <20181108005701.2e76fd3d@scratchpost.org> References: <87sh0dur48.fsf@gnu.org> <875zx9dof1.fsf@nckx> <87zhult0fb.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/uFf3igTX1bINKrZ/_Per2fx"; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:55952) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gKXi1-00051N-Kk for bug-guix@gnu.org; Wed, 07 Nov 2018 18:58:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gKXhy-0006mO-Ad for bug-guix@gnu.org; Wed, 07 Nov 2018 18:58:05 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:35859) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gKXhy-0006m0-4n for bug-guix@gnu.org; Wed, 07 Nov 2018 18:58:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gKXhx-0002EU-Tb for bug-guix@gnu.org; Wed, 07 Nov 2018 18:58:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87zhult0fb.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 33300@debbugs.gnu.org --Sig_/uFf3igTX1bINKrZ/_Per2fx Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, I think it would be good to have guix check for closed-source binaries after unpacking, automatically (including jar files with class files in them). Even when I know that they are there, I sometimes forget to delete them. In the long run it could even auto-delete those, but I guess only after a looo= ng time of integration. > > Aside, -ish: looks like most distributions there found out about this > > file due to some failing sanity check. Perhaps we could add our own, > > in =E2=80=98guix lint=E2=80=99 or at build time, to warn about ELF file= s and other > > suspicious binaries in post-snippet sourceballs? =20 That would be great. > Commit b17004f9f9541acbd07b45e35222e431427bfde0 added a -Wl,-rpath flag; > perhaps that was due to address an error in libImageProcessor.so > detected by =E2=80=98validate-runpath=E2=80=99? >=20 > That said, we could have a post-unpack phase that fails when ELF files > are found. The problem is that there are exceptions, in particular > =E2=80=9Cyogurt software=E2=80=9D (compilers, mostly). So we=E2=80=99d h= ave to manually fix > every exception. >=20 > > No idea if it's worth the trouble/performance hit/false-positive rate, > > of course. That's for the ner^Wgods to decide. =20 >=20 > Yeah I wonder if it would be fruitful. Marking known-good binaries (whitelisting) is still better than hoping we notice some closed-source binary (blacklisting). It would be a conspicious reminder of what we still have to do - as opposed to the situation now where it's mostly in someone's head (if at all). Once we finish the bootstrapping effort, the source tarballs won't need to contain any binaries anymore anyway :) I wonder just how many whitelist entries that would be, though. --Sig_/uFf3igTX1bINKrZ/_Per2fx Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAlvje80ACgkQ5xo1VCww uqXtqgf/YP6c3HckhRh8Utygveisutk6jeHQCulUbMxZWZVlhQpeft2blGaooWHT TYGofuW9xUGPSFIqKqllK4I+PF/DY4zq6XwDKqdOXVkt2qkj2rGPBG2oHSIFU0X8 1gh2oJP+FeRfFqU/nZA1wCDrbyze7Y+GAJhU0fFs6X6v/CS5EfKU5HUsnp3itLhh Qg97e1wt/wEWitLrq9lBItR7j5xycTwPTKmRfoQYOq3RTB2UW39mGt4/BNa3sDyS /7mWMEl5rcJpH2vo1HrA5jyjTx7B1bt2Y+qGMFGc/x/cqzQrl4FIo73yVl2+qr9s Ein2cWPK3HBOaW4tPXraNwzHOv3QjQ== =prih -----END PGP SIGNATURE----- --Sig_/uFf3igTX1bINKrZ/_Per2fx--