Detecting binaries in rpmbuild - Page 2

11-04-2008, 10:03 AM

Patrice Dumas wrote:
> On Tue, Nov 04, 2008 at 11:53:46AM +0100, Dominik 'Rathann' Mierzejewski wrote:
>> On Tuesday, 04 November 2008 at 11:51, Patrice Dumas wrote:
>>> On Tue, Nov 04, 2008 at 10:42:32AM +0000, Andrew Haley wrote:
>>>> Hold on, how do you know that something is a "binary" ? What if, for
>>>> example, it's an image bitmap? In the general case it's not possible
>>>> to tell if something is source or binary.
>>> At least ELF files could be found out.
>> So could Windows binaries (executables, DLLs, C# blobs) and Java JARs.
>
> File isn't very good at detecting java code, and it only see jar as Zip
> archive, and .class file as data. But using the extension + the fact
> that it is a zip archive may be a safe bet.

The fact that it's a JAR doesn't tell you it has any precompiled code in
it: some JARs don't. By all means do this for ELF, but let's be sensible.

Andrew.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

11-05-2008, 12:36 PM

On Tue, Nov 04, 2008 at 10:53:33AM +0100, Joost van der Sluis wrote:
> Op maandag 03-11-2008 om 13:55 uur [tijdzone -0700], schreef Orion
> Poplawski:
> > I just discovered in a package I'm putting through review that the
> > upstream tar ball contains some pre-compiled binaries. It seems like
> > this would be a good check for rpmbuild to run automatically before
> > the
> > %build step. Thoughts?
>
> That would kill some packages. Like all compilers that have to bootstrap
> theirselves.

Should compilers be carrying binary stuff in their source tarballs
even for bootstrapping?

For MinGW we separated the binary bootstrap stuff into separate
*NON-Fedora* RPMs. The idea is that if you need to bootstrap on a
bare system, you have to install these *-bootstrap RPMs, and then you
can compile the real RPMs (from pure source SRPMS of course), and once
these are installed they obsolete the *-bootstrap RPMs. Thus our
Fedora SRPMs are pure source, no binaries.

http://fedoraproject.org/wiki/MinGW/Bootstrapping

Rich.

--
Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

11-05-2008, 12:38 PM

On Tue, Nov 04, 2008 at 10:42:32AM +0000, Andrew Haley wrote:
> Jon Ciesla wrote:
> >> I just discovered in a package I'm putting through review that the
> >> upstream tar ball contains some pre-compiled binaries. It seems like
> >> this would be a good check for rpmbuild to run automatically before the
> >> %build step. Thoughts?
> >
> > Fine, as long as it doesn't prevent building rpms from precompiled
> > binaries. I mean, other than compilers, we really shouldn't do it in
> > Fedora, but taking away that functionality would prevent companies
> > building some rpms for internal use. I agree that rpmlint sounds like a
> > great place for this.
>
> Hold on, how do you know that something is a "binary" ? What if, for
> example, it's an image bitmap? In the general case it's not possible
> to tell if something is source or binary.

It's probably a good idea to spot some common binary traps, such as
ELF objects/executables, COFF binaries (for Windows/MinGW), jar files
with bytecode, and Mono assemblies with CIL code.

Rich.

--
Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones
Read my OCaml programming blog: http://camltastic.blogspot.com/
Fedora now supports 68 OCaml packages (the OPEN alternative to F#)
http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

11-05-2008, 01:58 PM

Richard W.M. Jones (rjones@redhat.com) said:
> > > I just discovered in a package I'm putting through review that the
> > > upstream tar ball contains some pre-compiled binaries. It seems like
> > > this would be a good check for rpmbuild to run automatically before
> > > the
> > > %build step. Thoughts?
> >
> > That would kill some packages. Like all compilers that have to bootstrap
> > theirselves.
>
> Should compilers be carrying binary stuff in their source tarballs
> even for bootstrapping?

Well, RPM doesn't necessarily *require* that you build from source, even
though it encourages it. Otherwise it wouldn't have support for things
like nosrc rpms.

Hence, I'd agree with the person who suggested that this be an optional
check, or better done in rpmlint (which, admittedly, may not be feasible.)

Bill

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

11-05-2008, 05:30 PM

On Wed, 2008-11-05 at 09:58 -0500, Bill Nottingham wrote:
> Richard W.M. Jones (rjones@redhat.com) said:
> > > > I just discovered in a package I'm putting through review that the
> > > > upstream tar ball contains some pre-compiled binaries. It seems like
> > > > this would be a good check for rpmbuild to run automatically before
> > > > the
> > > > %build step. Thoughts?
> > >
> > > That would kill some packages. Like all compilers that have to bootstrap
> > > theirselves.
> >
> > Should compilers be carrying binary stuff in their source tarballs
> > even for bootstrapping?
>
> Well, RPM doesn't necessarily *require* that you build from source, even
> though it encourages it. Otherwise it wouldn't have support for things
> like nosrc rpms.
>
> Hence, I'd agree with the person who suggested that this be an optional
> check, or better done in rpmlint (which, admittedly, may not be feasible.)

Looks like this is already in bz as:
https://bugzilla.redhat.com/show_bug.cgi?id=232982
but CLOSED WONTFIX with this (comment #2)

"Short version: if there's a patch, I can have a look, but it's unlikely
I will
personally spend time on this anytime soon (and no promises about later either);
it's quite a bit of work for a smallish gain which can be also argued to be
harmful, depending on opinion.

Feel free to reopen here if you disagree and want to try convince me otherwise
(preferably with patches included

), or in upstream Trac
(http://rpmlint.zarb.org) if you want other rpmlint devs' opinions."

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

11-06-2008, 06:29 AM

>> Is it not better to do it in RPMLint with appropriate exceptions?

> Perhaps it would be a better option to separate this test from rpmlint
> (without stretching definitions of 'lint'). Payloading binaries isn't an
> RPM problem per se but more of a Packaging definition issue and,
> probably optional hence.

RPMLint does check for strange file permissions within the tarballs
which are part of the SRPMs. eg., non-644 bits for a C/C++ files.

Cheers,
Debarshi

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

11-06-2008, 09:14 PM

On Thursday 06 November 2008, Debarshi Ray wrote:
> >> Is it not better to do it in RPMLint with appropriate exceptions?
> >
> > Perhaps it would be a better option to separate this test from rpmlint
> > (without stretching definitions of 'lint'). Payloading binaries isn't an
> > RPM problem per se but more of a Packaging definition issue and,
> > probably optional hence.
>
> RPMLint does check for strange file permissions within the tarballs
> which are part of the SRPMs. eg., non-644 bits for a C/C++ files.

Not really, IIRC. It just checks permissions of packaged files, and some
source files in tarballs often propagate to -debuginfo packages with
those "strange" permissions intact, and /that/ is something it'll warn about.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

11-06-2008, 09:22 PM

On Thu November 6 2008, Ville Skyttä wrote:

> Not really, IIRC. It just checks permissions of packaged files, and some
> source files in tarballs often propagate to -debuginfo packages with
> those "strange" permissions intact, and /that/ is something it'll warn
> about.

What a coincidence, I noticed this today, too. But I would consider this to be
a bug in rpmbuild, because the permissions of the files for the -debuginfo
package should be sanitized.

Regards,
Till
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

11-06-2008, 10:04 PM

Le jeudi 06 novembre 2008 à 23:22 +0100, Till Maas a écrit :
> On Thu November 6 2008, Ville Skyttä wrote:
>
> > Not really, IIRC. It just checks permissions of packaged files, and some
> > source files in tarballs often propagate to -debuginfo packages with
> > those "strange" permissions intact, and /that/ is something it'll warn
> > about.
>
> What a coincidence, I noticed this today, too. But I would consider this to be
> a bug in rpmbuild, because the permissions of the files for the -debuginfo
> package should be sanitized.

Really, that's our own fault for not making %defattr(644,root,root,755)
the default and not forcing packagers to actually check what files need
special permissions in each package.

--
Nicolas Mailhot
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

11-07-2008, 10:47 AM

On Friday, 07 November 2008 at 00:04, Nicolas Mailhot wrote:
[...]
> Really, that's our own fault for not making %defattr(644,root,root,755)
> the default and not forcing packagers to actually check what files need
> special permissions in each package.

+1

Regards,
R.

--
Fedora http://fedoraproject.org/wiki/User:Rathann
RPMFusion http://rpmfusion.org | MPlayer http://mplayerhq.hu
"Faith manages."
-- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list