rpminspect / rpminspect

RPM (single RPMs, SRPMs, Koji builds, Fedora modules) build deviation analysis tools
GNU General Public License v3.0
55 stars 45 forks source link

Inspect srpms for prebuilt binary ELF files #1358

Open simo5 opened 4 months ago

simo5 commented 4 months ago

Some ecosystems make it easy for upstream packages to sneak prebuilt binaries in their distribution packages. Especially ecosystems that use vendoring by default (Go/Rust/etc...) where there are several layers of dependencies automatically pulled in by their package managers.

It would be nice if rpminspect could flag sources where prebuilt binaries exist and have a way to specify individual occurrences as ok (for whatever reason, would also be nice to have reason recorded as well with the exception).

dcantrell commented 1 month ago

Are you thinking of this as a new inspection or an extension of an existing inspection? There is the 'upstream' inspection which checks the Source files. I could see extending that one to check to see if any Source files defined are ELF objects. I think it might also be a good idea to check Patches defined to see if any ELF objects are in there. Which may be trickier since you could do something like uuencode the object and put it in a text file.

simo5 commented 1 month ago

Not sure, I guess whatever is most appropriate, this is mostly to catch errors, not to fight people determined to bypass the check.