GNU bug report logs - #33300
hplip 3.18.9 contains non-free binary blobs

Previous Next

Package: guix;

Reported by: ludo <at> gnu.org (Ludovic Courtès)

Date: Wed, 7 Nov 2018 10:21:01 UTC

Severity: normal

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

Message #23 received at 33300 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Danny Milosavljevic <dannym <at> scratchpost.org>
Cc: 33300 <at> debbugs.gnu.org, Tobias Geerinckx-Rice <me <at> tobias.gr>
Subject: Re: Automatically detecting binaries in source tarballs
Date: Thu, 08 Nov 2018 09:50:23 +0100

Hello,

Danny Milosavljevic <dannym <at> scratchpost.org> skribis:

> I think it would be good to have guix check for closed-source binaries after
> unpacking, automatically (including jar files with class files in them).

Oh right, jars are certainly quite common, more than .so files.

>> > No idea if it's worth the trouble/performance hit/false-positive rate,
>> > of course. That's for the ner^Wgods to decide.  
>> 
>> Yeah I wonder if it would be fruitful.
>
> Marking known-good binaries (whitelisting) is still better than hoping
> we notice some closed-source binary (blacklisting).
>
> It would be a conspicious reminder of what we still have to do - as
> opposed to the situation now where it's mostly in someone's head
> (if at all).

Yeah, that makes sense.

What about adding such a phase in %standard-phases in core-updates-next?
I guess it could check for files that match ‘elf-file?’ or ‘ar-file?’
and for *.jar.  WDYT?

We must make add a keyword parameter in ‘gnu-build-system’ to make it
easy to disable it and/or to skip specific files.

Any takers?

Thanks,
Ludo’.
This bug report was last modified 6 years and 192 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.