From: "Björn Höfling" <bjoern.hoefling@bjoernhoefling.de>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: 33300@debbugs.gnu.org
Subject: bug#33300: Automatically detecting binaries in source tarballs
Date: Fri, 9 Nov 2018 00:11:34 +0100 [thread overview]
Message-ID: <20181109001134.3cccd949@alma-ubu> (raw)
In-Reply-To: <87y3a454xc.fsf@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 1858 bytes --]
On Thu, 08 Nov 2018 09:50:23 +0100
ludo@gnu.org (Ludovic Courtès) wrote:
> Hello,
>
> Danny Milosavljevic <dannym@scratchpost.org> skribis:
>
> > I think it would be good to have guix check for closed-source
> > binaries after unpacking, automatically (including jar files with
> > class files in them).
>
> Oh right, jars are certainly quite common, more than .so files.
>
> >> > No idea if it's worth the trouble/performance hit/false-positive
> >> > rate, of course. That's for the ner^Wgods to decide.
> >>
> >> Yeah I wonder if it would be fruitful.
> >
> > Marking known-good binaries (whitelisting) is still better than
> > hoping we notice some closed-source binary (blacklisting).
> >
> > It would be a conspicious reminder of what we still have to do - as
> > opposed to the situation now where it's mostly in someone's head
> > (if at all).
>
> Yeah, that makes sense.
>
> What about adding such a phase in %standard-phases in
> core-updates-next? I guess it could check for files that match
> ‘elf-file?’ or ‘ar-file?’ and for *.jar. WDYT?
>
> We must make add a keyword parameter in ‘gnu-build-system’ to make it
> easy to disable it and/or to skip specific files.
That is definitively a good idea.
One of my review-tasks is this:
[] Binaries included? If yes, created a snipped?
find . -name "*.rar" -or -name "*.pdf" -or -name "*.bin" -or -name "*.pdf" -or -name "*.dsy" -or -name "*.jar" -or -name "*.exe"
Should this be a phase of the build system? Or just a linter, that was
my first idea?
If it is a build-system-phase, it should probably go to core-updates
and beforehand someone must rebuild the world. I'm sure at least for
Java there are some JARs remaining and I had the plan to fold-packages
through them, but that had low priority.
Björn
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2018-11-08 23:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-07 10:19 bug#33300: hplip 3.18.9 contains non-free binary blobs Ludovic Courtès
2018-11-07 12:48 ` Efraim Flashner
2018-11-07 14:34 ` Ludovic Courtès
2018-11-07 13:09 ` Tobias Geerinckx-Rice
2018-11-07 14:41 ` Ludovic Courtès
2018-11-07 23:57 ` bug#33300: Automatically detecting binaries in source tarballs Danny Milosavljevic
2018-11-08 8:50 ` Ludovic Courtès
2018-11-08 23:11 ` Björn Höfling [this message]
2018-11-11 7:23 ` Efraim Flashner
2018-11-11 17:28 ` Ludovic Courtès
2018-11-11 17:30 ` bug#33300: hplip 3.18.9 contains non-free binary blobs Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181109001134.3cccd949@alma-ubu \
--to=bjoern.hoefling@bjoernhoefling.de \
--cc=33300@debbugs.gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).