Bug 232982 - rpmlint doesn't detect binaries in archives used in specs
Summary: rpmlint doesn't detect binaries in archives used in specs
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: rpmlint
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ville Skyttä
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-19 18:57 UTC by Bernard Johnson
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-03-26 20:40:51 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
example file (629.46 KB, application/x-rpm)
2007-03-19 18:57 UTC, Bernard Johnson
no flags Details

Description Bernard Johnson 2007-03-19 18:57:47 UTC
Description of problem:

Version-Release number of selected component (if applicable):
rpmlint-0.79-1.fc6

How reproducible:
Always

The Source0 archive in the attached SRPM includes an ELF binary.  rpmlint on the
SRPM doesn't produce an error.

Comment 1 Bernard Johnson 2007-03-19 18:57:47 UTC
Created attachment 150415 [details]
example file

Comment 2 Ville Skyttä 2007-03-26 20:40:51 UTC
Hmm, I'm not sure if this is much of a problem if the ELF binary is not actually
used for anything, and checking whether it is used for something during package
build is beyond rpmlint's capabilities, I'm afraid.

Additionally, there is no infrastructure in rpmlint for extracting SourceX
tarballs and friends.  And emitting warning about those binaries could lead to
people removing the binaries and shipping modified tarballs which cannot be that
easily verified against upstream after the deed is done, and that can be argued
to be a bigger problem than just using vanilla upstream tarballs and making sure
anything unwanted in them are not used.

Short version: if there's a patch, I can have a look, but it's unlikely I will
personally spend time on this anytime soon (and no promises about later either);
it's quite a bit of work for a smallish gain which can be also argued to be
harmful, depending on opinion.

Feel free to reopen here if you disagree and want to try convince me otherwise
(preferably with patches included ;)), or in upstream Trac
(http://rpmlint.zarb.org) if you want other rpmlint devs' opinions.

Comment 3 Bernard Johnson 2007-03-26 21:06:53 UTC
It's unclear to me whether it is required or not to remove binaries from source
distributions.  This draft is available:
http://fedoraproject.org/wiki/PackagingDrafts/SourceRequirement but it is
unclear to me whether this covers the RPM or both the RPM and SRPM.

If it is required, there should be definitely be a check of this sort.

It it's not required, then we should make the packaging guidelines clearer in
that respect.

This began when I recently repackaged a source tarball to remove a binary, and
rpmlint didn't warn that it was there to begin with.  My reviewer told me to
remove it after I brought up the issue with him.

Personally, I don't care if the binary is in the source tarball because if
someone is messing with the source/srpm I generally look at it as "they must
know what they're doing".  However, it is a good point that the binary could be
a payload for a virus or trojan and we certainly wouldn't want that to have the
possibility of that in our source.

You're on the packaging committee... you tell me :)

Seriously, if you don't mind, throw this topic in front of the committee at the
next meeting.


Note You need to log in before you can comment on or make changes to this bug.