When using witness to supervise a Debian package build, I noticed the Artifact attestor breaking when trying to lstat() the target of a dangling symlink. This dangling symlink was produced by the build process itself:
dpkg-genchanges --build=binary >../mgen_5.02.b+dfsg1-2.2build2_amd64.changes
dpkg-genchanges: info: binary-only upload (no source code included)
dpkg-source --after-build .
dpkg-buildpackage: info: binary-only upload (no source included)
failed to run attestors: lstat /tmp/mgen-5.02.b+dfsg1/debian/.debhelper/mgen/dbgsym-root/usr/share/doc/mgen: no such file or directory
Since this makes witness return non-zero, it breaks builds. Here's what the stat utility shows for target and source in my system:
$ stat debian/.debhelper/mgen/dbgsym-root/usr/share/doc/mgen
stat: cannot stat 'debian/.debhelper/mgen/dbgsym-root/usr/share/doc/mgen': No such file or directory
$ stat debian/.debhelper/mgen/dbgsym-root/usr/share/doc/mgen-dbgsym
File: debian/.debhelper/mgen/dbgsym-root/usr/share/doc/mgen-dbgsym -> mgen
Size: 4 Blocks: 0 IO Block: 512 symbolic link
Device: 2h/2d Inode: 4503599628240711 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2022-01-11 19:01:02.556707700 -0800
Modify: 2022-01-11 19:01:02.556707700 -0800
Change: 2022-01-11 19:01:02.556707700 -0800
Birth: -
When using
witness
to supervise a Debian package build, I noticed theArtifact
attestor breaking when trying tolstat()
the target of a dangling symlink. This dangling symlink was produced by the build process itself:Since this makes
witness
return non-zero, it breaks builds. Here's what thestat
utility shows for target and source in my system:I recall having seen this in
syft
where logic was added to handle this case.It's possible that this could be handled near L106 in
artifact.go
.