[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#33300: Automatically detecting binaries in source tarballs
From: |
Björn Höfling |
Subject: |
bug#33300: Automatically detecting binaries in source tarballs |
Date: |
Fri, 9 Nov 2018 00:11:34 +0100 |
On Thu, 08 Nov 2018 09:50:23 +0100
address@hidden (Ludovic Courtès) wrote:
> Hello,
>
> Danny Milosavljevic <address@hidden> skribis:
>
> > I think it would be good to have guix check for closed-source
> > binaries after unpacking, automatically (including jar files with
> > class files in them).
>
> Oh right, jars are certainly quite common, more than .so files.
>
> >> > No idea if it's worth the trouble/performance hit/false-positive
> >> > rate, of course. That's for the ner^Wgods to decide.
> >>
> >> Yeah I wonder if it would be fruitful.
> >
> > Marking known-good binaries (whitelisting) is still better than
> > hoping we notice some closed-source binary (blacklisting).
> >
> > It would be a conspicious reminder of what we still have to do - as
> > opposed to the situation now where it's mostly in someone's head
> > (if at all).
>
> Yeah, that makes sense.
>
> What about adding such a phase in %standard-phases in
> core-updates-next? I guess it could check for files that match
> ‘elf-file?’ or ‘ar-file?’ and for *.jar. WDYT?
>
> We must make add a keyword parameter in ‘gnu-build-system’ to make it
> easy to disable it and/or to skip specific files.
That is definitively a good idea.
One of my review-tasks is this:
[] Binaries included? If yes, created a snipped?
find . -name "*.rar" -or -name "*.pdf" -or -name "*.bin" -or -name "*.pdf"
-or -name "*.dsy" -or -name "*.jar" -or -name "*.exe"
Should this be a phase of the build system? Or just a linter, that was
my first idea?
If it is a build-system-phase, it should probably go to core-updates
and beforehand someone must rebuild the world. I'm sure at least for
Java there are some JARs remaining and I had the plan to fold-packages
through them, but that had low priority.
Björn
pgp18eL4HNyqQ.pgp
Description: OpenPGP digital signature