Bug 2164250

Summary: Possibly unacceptable content packaged in Fedora: bundled abe.jar
Product: [Fedora] Fedora Reporter: Jan Pokorný [poki] <fedora>
Component: adb-enhancedAssignee: Fabian Affolter <mail>
Status: ASSIGNED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: mail, rfontana
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 182235    

Description Jan Pokorný [poki] 2023-01-24 22:28:31 UTC 
Friends don't let friends use binary bits of unknown origins,
not to speak of Fedora Packaging Guidelines violations, and
possible breach of bringing proprietary SW into libre-licenses
seeking distribution.

Was rather shocked that once I confused adb from android-tools
with adbe package, I observed a JAR file being installed along,
and indeed, this file is not built from sources:

https://github.com/ashishb/adb-enhanced/commit/c90b6b31700ebb117e50c3d03ab5fda38ced15b9

and -- AFAIK -- therefore forbidden from Fedora proper unless
an exception was granted, which does not seem to be the case,
see [bug 1814795].  In the same vein, the reviewer apparently
checked out something that should not have been in the first
place (for one if there are more eligible):

> [x]: Sources contain only permissible code or content.

And sadly, that's just for a starter.

The other possible problem related to "binary blob carried from
upstream", even if it was allowed, is that code that you don't
have sources to is totally non-transparent, which is just a step
from being actively harmful.  Lo and behold, when thrown into
VirusTotal.com, at least a single AV engine recognizes that JAR
as having traits of something previously recognized as malicious:

https://www.virustotal.com/gui/file/2a6e4d0d4bd77c94d0e09baade739596c35d73bb91cc79a17930e1574c41f272

This admittedly might be a false positive (previous scan for
the file of the same hash was showing all-green), but do
friends let friends expose themselves to unjustified risks?

Enthusiasm of everyone involved in bringing new kinds of
out-of-the-box "versatility" to Fedora is indeed admirable
and all, but I am afraid it went way too wrong here, nothing short
of a textbook example of how not to do it, that is, how recklessly.

Please, drop that JAR file from the package immediately, and try
to find a way of how to restore it by building it from sources
as expected in Fedora context, assuming the sources are likewise
under licensing that Fedora permits.

That being said, setting this bug as a blocker for [FE-Legal],
and rushing to remove that accidentally installed package locally.
As mentioned, I've meant to install android-tools anyway, but
at least this critical double-check emerged from this thinko.
Comment 1 Jan Pokorný [poki] 2023-01-24 22:44:29 UTC 
OK, apksigner.jar can possibly be built anew using public sources
that appear to be under Apache-2.0 (SPDX notation) license:

https://android.googlesource.com/platform/tools/apksig/+/master/src/main/java/com/android/apksig/ApkSigner.java

But then it might be a good idea to package it separately and
for the purpose of Fedora downstream, make adb-enhanced contain
a respective symlink into where the file is placed by that other
package, which would consequently become its "Requires:" specified
dependency.

Thanks for considering these circumstances and options.
Comment 2 Richard Fontana 2023-01-24 23:04:07 UTC 
I can't speak to the Fedora packaging guidelines, but from the Fedora legal standpoint, this package (at least in this form) must be removed from Fedora.
Comment 3 Ben Cotton 2023-02-07 15:06:21 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.
Comment 4 Fabian Affolter 2023-02-19 00:37:49 UTC 
> # Uses abe.jar taken from https://sourceforge.net/projects/adbextractor/

abe (https://github.com/nelenkov/android-backup-extractor) uses ASL 2.0.

abe.jar and apksigner.jar should definitly not be part of the package.
Comment 5 Aoife Moloney 2024-05-07 15:55:58 UTC 
This message is a reminder that Fedora Linux 38 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 38 on 2024-05-21.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '38'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 38 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.