From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: bug#33300: Automatically detecting binaries in source tarballs Date: Sun, 11 Nov 2018 09:23:34 +0200 Message-ID: <20181111072334.GF1206@macbook41> References: <87sh0dur48.fsf@gnu.org> <875zx9dof1.fsf@nckx> <87zhult0fb.fsf@gnu.org> <20181108005701.2e76fd3d@scratchpost.org> <87y3a454xc.fsf@gnu.org> <20181109001134.3cccd949@alma-ubu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="xjyYRNSh/RebjC6o" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38418) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gLk6M-0002Iz-Hi for bug-guix@gnu.org; Sun, 11 Nov 2018 02:24:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gLk6G-00017N-Vq for bug-guix@gnu.org; Sun, 11 Nov 2018 02:24:10 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:40991) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gLk6D-0000bD-Ro for bug-guix@gnu.org; Sun, 11 Nov 2018 02:24:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gLk6D-0003dI-KK for bug-guix@gnu.org; Sun, 11 Nov 2018 02:24:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <20181109001134.3cccd949@alma-ubu> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: =?UTF-8?Q?Bj=C3=B6rn_?= =?UTF-8?Q?H=C3=B6fling?= Cc: 33300@debbugs.gnu.org --xjyYRNSh/RebjC6o Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Nov 09, 2018 at 12:11:34AM +0100, Bj=C3=B6rn H=C3=B6fling wrote: > On Thu, 08 Nov 2018 09:50:23 +0100 > ludo@gnu.org (Ludovic Court=C3=A8s) wrote: >=20 > > Hello, > >=20 > > Danny Milosavljevic skribis: > >=20 > > > I think it would be good to have guix check for closed-source > > > binaries after unpacking, automatically (including jar files with > > > class files in them). =20 > >=20 > > Oh right, jars are certainly quite common, more than .so files. > >=20 > > >> > No idea if it's worth the trouble/performance hit/false-positive > > >> > rate, of course. That's for the ner^Wgods to decide. =20 > > >>=20 > > >> Yeah I wonder if it would be fruitful. =20 > > > > > > Marking known-good binaries (whitelisting) is still better than > > > hoping we notice some closed-source binary (blacklisting). > > > > > > It would be a conspicious reminder of what we still have to do - as > > > opposed to the situation now where it's mostly in someone's head > > > (if at all). =20 > >=20 > > Yeah, that makes sense. > >=20 > > What about adding such a phase in %standard-phases in > > core-updates-next? I guess it could check for files that match > > =E2=80=98elf-file?=E2=80=99 or =E2=80=98ar-file?=E2=80=99 and for *.jar= =2E WDYT? > >=20 > > We must make add a keyword parameter in =E2=80=98gnu-build-system=E2=80= =99 to make it > > easy to disable it and/or to skip specific files. >=20 > That is definitively a good idea. >=20 > One of my review-tasks is this: >=20 > [] Binaries included? If yes, created a snipped? > find . -name "*.rar" -or -name "*.pdf" -or -name "*.bin" -or -name "*.= pdf" -or -name "*.dsy" -or -name "*.jar" -or -name "*.exe"=20 also "*.so" or "*.a" I assume. For python we'd want to grep the source files for "Generated by Cython" >=20 > Should this be a phase of the build system? Or just a linter, that was > my first idea? I'd go with a phase >=20 > If it is a build-system-phase, it should probably go to core-updates > and beforehand someone must rebuild the world. I'm sure at least for > Java there are some JARs remaining and I had the plan to fold-packages > through them, but that had low priority. >=20 > Bj=C3=B6rn --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --xjyYRNSh/RebjC6o Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlvn2PEACgkQQarn3Mo9 g1E8/BAAjdEVtSK5Ydh1Pp1OvW7aZII2a2+tROqzGq3rmi7A+WBC3B4bnor6Yvu+ 4ovOTVeLsWt481vySRqLIsfpVHgjLr4PkQTrWDnj6k9i9KJRhU+xvzHomgFSfhci sjaqgJleNcQ1tYW1l5AGBHZh/eLkWSEJtrTUHbIzohd0WLrmgH+nZg1F91rCkLju 5xnScJSuXXeaDboIuW558Xuk+nkb+9q7rmtoZ527TFMmEenfpXeTSJ03z58QzaJm 7BbTvSsl1Pr8VVXVXy7TYm2pRSEF8uZAtQm0RTuCS1/NVKo+57dPO4auJ4jKbfq0 LE4wMxH2Pqz1I8mcD+2t3tvwKp3UurY4wOy6AU3CrQ7NHfNsd54l/x9NqLrsTjND muq92H0pkc1HhvhS9JNprgOt2TzgqljVJ90wEziGlAcZMJZL4sYRSGTv9FYGnMdo lrNfLXe+c+i7+EiyPj2pDZRtxYsQ8XZZQ8BfLefZjwhAQ6LJKSooMJrX9ugpRZV4 W5JCwaJct24RLvrDTtpXmtfw45nCXmVTel4TM53xbWjViSnGWvfh1YSYiClHxVmN Ft9TAmVCykESa9PGCha/CGr6ci1x9aDD7te+bkWklgI6bH4ZyWEbyP/GK3PSxtwu unVXSaZyDFm6N6mgO9JkhL0a11w9jHXDLGfB5EIMEh8wkS+fa2I= =kRr4 -----END PGP SIGNATURE----- --xjyYRNSh/RebjC6o--