bug#47228: Check binary consistency after grafting with e.g. ldd

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47228: Check binary consistency after grafting with e.g. ldd

From:	Ludovic Courtès
Subject:	bug#47228: Check binary consistency after grafting with e.g. ldd
Date:	Thu, 18 Mar 2021 14:38:16 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

Hi,

(Cc: Leo Famulari who has been taking care of many security issues in
Guix over years.)

Léo Le Bouter <lle-bout@zaclys.net> skribis:

> We had an issue after grafting ImageMagick fixed by <
> https://git.savannah.gnu.org/cgit/guix.git/commit/?id=2e0ff59f0cd836b156f1ef2e78791d864ce3cfcd
>>.
>
> Basically Inkscape did not work because ImageMagick's soname had been
> bumped (probably for forward compat?):
>
> /gnu/store/g75q5v1gqi4x08qcf1ydfl9xhp4slmxy-inkscape-
> 1.0.2/bin/.inkscape-real: error while loading shared libraries:
> libMagickCore-6.Q16.so.6: cannot open shared object file: No such file
> or directory
>
> It seems technically possible to automatically check for this kind of
> breakage, therefore I suggest we run ldd (might actually run code from
> the binary) or objdump -x (pure static analysis), so after grafting we
> could check that every binary can load all it's dependents declared in
> the ELF headers successfully and report errors if not?
>
> What do you think?

I don’t think all the testing that needs to be done when grafting can be
automated.

In particular, packagers who want to introduce a replacement for a
library should use libabigail’s ‘abi-diff’ tool to check that the
package and its replacement are ABI-compatible.  It’s also a good idea
to make some quick manual tests.

The .so file symlinks in
<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=2e0ff59f0cd836b156f1ef2e78791d864ce3cfcd>
look very scary to me.  To me, it’s likely to hide the ABI
incompatibility issue rather than “fix” it.

Léo, please make sure to submit patches for review, as noted in
<https://guix.gnu.org/manual/devel/en/html_node/Commit-Access.html>.
Such changes do not qualify as “trivial” and we should strive to get
more than one pair of eyeballs on it.

Leo F. has always done that, even with years of experience, and I think
it’s been fruitful, even when that meant delaying the patch by a couple
of days.

The good thing with being a “rolling release” distro is that we can
quickly roll out fixes; the bad thing is that we can just as quickly
roll out bugs.  :-)

Thanks,
Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47228: Check binary consistency after grafting with e.g. ldd, Léo Le Bouter, 2021/03/18
- bug#47228: Check binary consistency after grafting with e.g. ldd, Ludovic Courtès <=
  - bug#47228: Check binary consistency after grafting with e.g. ldd, Léo Le Bouter, 2021/03/19
    - bug#47228: Check binary consistency after grafting with e.g. ldd, Ludovic Courtès, 2021/03/19

Prev by Date: bug#47188: "guix lint -c cve" does not account for language prefixes (rust-, python-, go-, ..)
Next by Date: bug#47226: fennel package not working with generic-html refresh updater
Previous by thread: bug#47228: Check binary consistency after grafting with e.g. ldd
Next by thread: bug#47228: Check binary consistency after grafting with e.g. ldd
Index(es):
- Date
- Thread