bug#33300: Automatically detecting binaries in source tarballs

[Danny Milosavljevic <dannym@scratchpost.org>]

[-- Attachment #1: Type: text/plain, Size: 1722 bytes --]

Hi,

I think it would be good to have guix check for closed-source binaries after
unpacking, automatically (including jar files with class files in them).

Even when I know that they are there, I sometimes forget to delete them.  In
the long run it could even auto-delete those, but I guess only after a looong
time of integration.

> > Aside, -ish: looks like most distributions there found out about this
> > file due to some failing sanity check. Perhaps we could add our own,
> > in ‘guix lint’ or at build time, to warn about ELF files and other
> > suspicious binaries in post-snippet sourceballs?  

That would be great.

> Commit b17004f9f9541acbd07b45e35222e431427bfde0 added a -Wl,-rpath flag;
> perhaps that was due to address an error in libImageProcessor.so
> detected by ‘validate-runpath’?
> 
> That said, we could have a post-unpack phase that fails when ELF files
> are found.  The problem is that there are exceptions, in particular
> “yogurt software” (compilers, mostly).  So we’d have to manually fix
> every exception.
> 
> > No idea if it's worth the trouble/performance hit/false-positive rate,
> > of course. That's for the ner^Wgods to decide.  
> 
> Yeah I wonder if it would be fruitful.

Marking known-good binaries (whitelisting) is still better than hoping
we notice some closed-source binary (blacklisting).

It would be a conspicious reminder of what we still have to do - as
opposed to the situation now where it's mostly in someone's head
(if at all).

Once we finish the bootstrapping effort, the source tarballs won't
need to contain any binaries anymore anyway :)

I wonder just how many whitelist entries that would be, though.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]