GNU bug report logs - #33300
hplip 3.18.9 contains non-free binary blobs

Previous Next

Package: guix;

Reported by: ludo <at> gnu.org (Ludovic Courtès)

Date: Wed, 7 Nov 2018 10:21:01 UTC

Severity: normal

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

Message #26 received at 33300 <at> debbugs.gnu.org (full text, mbox):

From: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: Danny Milosavljevic <dannym <at> scratchpost.org>, 33300 <at> debbugs.gnu.org
Subject: Re: bug#33300: Automatically detecting binaries in source tarballs
Date: Fri, 9 Nov 2018 00:11:34 +0100

[Message part 1 (text/plain, inline)]
On Thu, 08 Nov 2018 09:50:23 +0100
ludo <at> gnu.org (Ludovic Courtès) wrote:

> Hello,
> 
> Danny Milosavljevic <dannym <at> scratchpost.org> skribis:
> 
> > I think it would be good to have guix check for closed-source
> > binaries after unpacking, automatically (including jar files with
> > class files in them).  
> 
> Oh right, jars are certainly quite common, more than .so files.
> 
> >> > No idea if it's worth the trouble/performance hit/false-positive
> >> > rate, of course. That's for the ner^Wgods to decide.    
> >> 
> >> Yeah I wonder if it would be fruitful.  
> >
> > Marking known-good binaries (whitelisting) is still better than
> > hoping we notice some closed-source binary (blacklisting).
> >
> > It would be a conspicious reminder of what we still have to do - as
> > opposed to the situation now where it's mostly in someone's head
> > (if at all).  
> 
> Yeah, that makes sense.
> 
> What about adding such a phase in %standard-phases in
> core-updates-next? I guess it could check for files that match
> ‘elf-file?’ or ‘ar-file?’ and for *.jar.  WDYT?
> 
> We must make add a keyword parameter in ‘gnu-build-system’ to make it
> easy to disable it and/or to skip specific files.

That is definitively a good idea.

One of my review-tasks is this:

[] Binaries included? If yes, created a snipped?
   find . -name "*.rar" -or -name "*.pdf" -or -name "*.bin" -or -name "*.pdf" -or -name "*.dsy" -or -name "*.jar" -or -name "*.exe" 

Should this be a phase of the build system? Or just a linter, that was
my first idea?

If it is a build-system-phase, it should probably go to core-updates
and beforehand someone must rebuild the world. I'm sure at least for
Java there are some JARs remaining and I had the plan to fold-packages
through them, but that had low priority.

Björn

[Message part 2 (application/pgp-signature, inline)]
This bug report was last modified 6 years and 193 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.