This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 232982 - rpmlint doesn't detect binaries in archives used in specs
rpmlint doesn't detect binaries in archives used in specs
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: rpmlint (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ville Skyttä
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-19 14:57 EDT by Bernard Johnson
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-26 16:40:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
example file (629.46 KB, application/x-rpm)
2007-03-19 14:57 EDT, Bernard Johnson
no flags Details

  None (edit)
Description Bernard Johnson 2007-03-19 14:57:47 EDT
Description of problem:

Version-Release number of selected component (if applicable):
rpmlint-0.79-1.fc6

How reproducible:
Always

The Source0 archive in the attached SRPM includes an ELF binary.  rpmlint on the
SRPM doesn't produce an error.
Comment 1 Bernard Johnson 2007-03-19 14:57:47 EDT
Created attachment 150415 [details]
example file
Comment 2 Ville Skyttä 2007-03-26 16:40:51 EDT
Hmm, I'm not sure if this is much of a problem if the ELF binary is not actually
used for anything, and checking whether it is used for something during package
build is beyond rpmlint's capabilities, I'm afraid.

Additionally, there is no infrastructure in rpmlint for extracting SourceX
tarballs and friends.  And emitting warning about those binaries could lead to
people removing the binaries and shipping modified tarballs which cannot be that
easily verified against upstream after the deed is done, and that can be argued
to be a bigger problem than just using vanilla upstream tarballs and making sure
anything unwanted in them are not used.

Short version: if there's a patch, I can have a look, but it's unlikely I will
personally spend time on this anytime soon (and no promises about later either);
it's quite a bit of work for a smallish gain which can be also argued to be
harmful, depending on opinion.

Feel free to reopen here if you disagree and want to try convince me otherwise
(preferably with patches included ;)), or in upstream Trac
(http://rpmlint.zarb.org) if you want other rpmlint devs' opinions.
Comment 3 Bernard Johnson 2007-03-26 17:06:53 EDT
It's unclear to me whether it is required or not to remove binaries from source
distributions.  This draft is available:
http://fedoraproject.org/wiki/PackagingDrafts/SourceRequirement but it is
unclear to me whether this covers the RPM or both the RPM and SRPM.

If it is required, there should be definitely be a check of this sort.

It it's not required, then we should make the packaging guidelines clearer in
that respect.

This began when I recently repackaged a source tarball to remove a binary, and
rpmlint didn't warn that it was there to begin with.  My reviewer told me to
remove it after I brought up the issue with him.

Personally, I don't care if the binary is in the source tarball because if
someone is messing with the source/srpm I generally look at it as "they must
know what they're doing".  However, it is a good point that the binary could be
a payload for a virus or trojan and we certainly wouldn't want that to have the
possibility of that in our source.

You're on the packaging committee... you tell me :)

Seriously, if you don't mind, throw this topic in front of the committee at the
next meeting.

Note You need to log in before you can comment on or make changes to this bug.