On Thu, 08 Nov 2018 09:50:23 +0100 ludo@gnu.org (Ludovic Courtès) wrote: > Hello, > > Danny Milosavljevic skribis: > > > I think it would be good to have guix check for closed-source > > binaries after unpacking, automatically (including jar files with > > class files in them). > > Oh right, jars are certainly quite common, more than .so files. > > >> > No idea if it's worth the trouble/performance hit/false-positive > >> > rate, of course. That's for the ner^Wgods to decide. > >> > >> Yeah I wonder if it would be fruitful. > > > > Marking known-good binaries (whitelisting) is still better than > > hoping we notice some closed-source binary (blacklisting). > > > > It would be a conspicious reminder of what we still have to do - as > > opposed to the situation now where it's mostly in someone's head > > (if at all). > > Yeah, that makes sense. > > What about adding such a phase in %standard-phases in > core-updates-next? I guess it could check for files that match > ‘elf-file?’ or ‘ar-file?’ and for *.jar. WDYT? > > We must make add a keyword parameter in ‘gnu-build-system’ to make it > easy to disable it and/or to skip specific files. That is definitively a good idea. One of my review-tasks is this: [] Binaries included? If yes, created a snipped? find . -name "*.rar" -or -name "*.pdf" -or -name "*.bin" -or -name "*.pdf" -or -name "*.dsy" -or -name "*.jar" -or -name "*.exe" Should this be a phase of the build system? Or just a linter, that was my first idea? If it is a build-system-phase, it should probably go to core-updates and beforehand someone must rebuild the world. I'm sure at least for Java there are some JARs remaining and I had the plan to fold-packages through them, but that had low priority. Björn