From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?Bj=C3=B6rn_?= =?UTF-8?Q?H=C3=B6fling?= Subject: bug#33300: Automatically detecting binaries in source tarballs Date: Fri, 9 Nov 2018 00:11:34 +0100 Message-ID: <20181109001134.3cccd949@alma-ubu> References: <87sh0dur48.fsf@gnu.org> <875zx9dof1.fsf@nckx> <87zhult0fb.fsf@gnu.org> <20181108005701.2e76fd3d@scratchpost.org> <87y3a454xc.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/SeOeW_rJI7tTz=I0+lRdu2A"; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39866) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gKtWj-0002yu-5e for bug-guix@gnu.org; Thu, 08 Nov 2018 18:15:58 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gKtT1-00078T-II for bug-guix@gnu.org; Thu, 08 Nov 2018 18:12:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:37741) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gKtT0-00077l-Gu for bug-guix@gnu.org; Thu, 08 Nov 2018 18:12:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gKtT0-00053V-83 for bug-guix@gnu.org; Thu, 08 Nov 2018 18:12:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87y3a454xc.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 33300@debbugs.gnu.org --Sig_/SeOeW_rJI7tTz=I0+lRdu2A Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Thu, 08 Nov 2018 09:50:23 +0100 ludo@gnu.org (Ludovic Court=C3=A8s) wrote: > Hello, >=20 > Danny Milosavljevic skribis: >=20 > > I think it would be good to have guix check for closed-source > > binaries after unpacking, automatically (including jar files with > > class files in them). =20 >=20 > Oh right, jars are certainly quite common, more than .so files. >=20 > >> > No idea if it's worth the trouble/performance hit/false-positive > >> > rate, of course. That's for the ner^Wgods to decide. =20 > >>=20 > >> Yeah I wonder if it would be fruitful. =20 > > > > Marking known-good binaries (whitelisting) is still better than > > hoping we notice some closed-source binary (blacklisting). > > > > It would be a conspicious reminder of what we still have to do - as > > opposed to the situation now where it's mostly in someone's head > > (if at all). =20 >=20 > Yeah, that makes sense. >=20 > What about adding such a phase in %standard-phases in > core-updates-next? I guess it could check for files that match > =E2=80=98elf-file?=E2=80=99 or =E2=80=98ar-file?=E2=80=99 and for *.jar. = WDYT? >=20 > We must make add a keyword parameter in =E2=80=98gnu-build-system=E2=80= =99 to make it > easy to disable it and/or to skip specific files. That is definitively a good idea. One of my review-tasks is this: [] Binaries included? If yes, created a snipped? find . -name "*.rar" -or -name "*.pdf" -or -name "*.bin" -or -name "*.pd= f" -or -name "*.dsy" -or -name "*.jar" -or -name "*.exe"=20 Should this be a phase of the build system? Or just a linter, that was my first idea? If it is a build-system-phase, it should probably go to core-updates and beforehand someone must rebuild the world. I'm sure at least for Java there are some JARs remaining and I had the plan to fold-packages through them, but that had low priority. Bj=C3=B6rn --Sig_/SeOeW_rJI7tTz=I0+lRdu2A Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlvkwqcACgkQvyhstlk+X/2y1wCfTnR9j+EZAMk39DCH9v2OFl7L eB8AnRxDKqNbFncv7r3jBwTe2aDiu+eZ =by8o -----END PGP SIGNATURE----- --Sig_/SeOeW_rJI7tTz=I0+lRdu2A--