Re: [gentoo-portage-dev] [rfc] variable naming for marking binaries as QA ignorable
On Wednesday 08 March 2006 02:54, Kevin F. Quinn (Gentoo) wrote: > On Wed, 8 Mar 2006 00:17:52 -0500 > > how does the attached patch look ? it allows for regexes in the > > ignore list which is why i used gawk ;) > > Could we add something so that we can disable these ignore lists in the > hardened profile? done and committed -mike -- gentoo-portage-dev@gentoo.org mailing list
Re: [gentoo-portage-dev] [rfc] variable naming for marking binaries as QA ignorable
On Wed, 8 Mar 2006 00:17:52 -0500
Mike Frysinger <[EMAIL PROTECTED]> wrote:
> how does the attached patch look ? it allows for regexes in the
> ignore list which is why i used gawk ;)
Could we add something so that we can disable these ignore lists in the
hardened profile? At least something like:
if [[ -n ${QA_STRICT_TEXTRELS} ]]; then
f=$(scanelf -qyRF '%t %p' "${D}")
else
filter version
fi
...
where we can add QA_STRICT_TEXTRELS to make.defaults.
--
Kevin F. Quinn
signature.asc
Description: PGP signature
Re: [gentoo-portage-dev] [rfc] variable naming for marking binaries as QA ignorable
how does the attached patch look ? it allows for regexes in the ignore list
which is why i used gawk ;)
QA_TEXTRELS="usr/lib/libGL.so.*"
QA_EXECSTACK="usr/bin/slmodem usr/bin/modem_test"
-mike
Index: ebuild.sh
===
--- ebuild.sh (revision 2825)
+++ ebuild.sh (working copy)
@@ -1095,7 +1095,7 @@
done
if type -p scanelf > /dev/null ; then
- local insecure_rpath=0
+ local qa_var insecure_rpath=0
# Make sure we disallow insecure RUNPATH/RPATH's
# Don't want paths that point to the tree where the package was built
@@ -1132,9 +1132,22 @@
fi
# TEXTREL's are bd
- f=$(scanelf -qyRF '%t %p' "${D}")
+ # Allow devs to mark things as ignorable ... e.g. things that are
+ # binary-only and upstream isn't cooperating (nvidia-glx) ... we
+ # allow ebuild authors to set QA_TEXTRELS_arch and QA_TEXTRELS ...
+ # the former overrides the latter ... regexes allowed ! :)
+ qa_var="QA_TEXTRELS_${ARCH}"
+ [[ -n ${!qa_var} ]] && QA_TEXTRELS=${!qa_var}
+ f=$(scanelf -qyRF '%t %p' "${D}" | grep -v ' usr/lib/debug/' | \
+ gawk '
+ BEGIN { split("'"${QA_TEXTRELS}"'", ignore); }
+ { for (idx in ignore)
+ if ($NF ~ "^"ignore[idx]"$")
+ next;
+print;
+ }')
if [[ -n ${f} ]] ; then
- scanelf -qyRF '%T %p' "${WORKDIR}"/ &> "${T}"/scanelf-textrel.log
+ scanelf -qyRF '%T %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-textrel.log
echo -ne '\a\n'
echo "QA Notice: the following files contain runtime text relocations"
echo " Text relocations force the dynamic linker to perform extra"
@@ -1158,15 +1171,30 @@
# http://hardened.gentoo.org/gnu-stack.xml (Arch Status)
case ${CTARGET:-${CHOST}} in
i?86*|ia64*|m68k*|powerpc64*|s390*|x86_64*)
- f=$(scanelf -qyRF '%e %p' "${D}") ;;
-*)
- f="" ;;
+ # Allow devs to mark things as ignorable ... e.g. things
+ # that are binary-only and upstream isn't cooperating ...
+ # we allow ebuild authors to set QA_EXECSTACK_arch and
+ # QA_EXECSTACK ... the former overrides the latter ...
+ # regexes allowed ! :)
+
+ qa_var="QA_EXECSTACK_${ARCH}"
+ [[ -n ${!qa_var} ]] && QA_EXECSTACK=${!qa_var}
+ f=$(scanelf -qyRF '%e %p' "${D}" | grep -v ' usr/lib/debug/' | \
+ gawk '
+ BEGIN { split("'"${QA_EXECSTACK}"'", ignore); }
+ { for (idx in ignore)
+if ($NF ~ "^"ignore[idx]"$")
+ next;
+ print;
+ }')
+ ;;
+*) f="" ;;
esac
;;
esac
if [[ -n ${f} ]] ; then
# One more pass to help devs track down the source
- scanelf -qyRF '%e %p' "${WORKDIR}"/ &> "${T}"/scanelf-exec.log
+ scanelf -qyRF '%e %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-execstack.log
echo -ne '\a\n'
echo "QA Notice: the following files contain executable stacks"
echo " Files with executable stacks will not work properly (or at all!)"
@@ -1174,7 +1202,7 @@
echo " at http://bugs.gentoo.org/ to make sure the file is fixed."
echo " For more information, see http://hardened.gentoo.org/gnu-stack.xml";
echo " Please include this file in your report:"
- echo " ${T}/scanelf-exec.log"
+ echo " ${T}/scanelf-execstack.log"
echo "${f}"
echo -ne '\a\n'
die_msg="${die_msg} execstacks"
Re: [gentoo-portage-dev] [rfc] variable naming for marking binaries as QA ignorable
On Mon, 2006-03-06 at 09:21 +0100, Kevin F. Quinn (Gentoo) wrote: > On Sun, 5 Mar 2006 20:46:25 -0500 > Mike Frysinger <[EMAIL PROTECTED]> wrote: > > > On Sunday 05 March 2006 19:48, Kevin F. Quinn (Gentoo) wrote: > > > This could be done via the profiles, perhaps - package.qa, something > > > like package.mask/use/keywords: > > > > i hate such things ... imo this information should stay in the ebuild > > and nowhere else ... > > I was thinking that the data would be "owned" by the QA team rather > than the package maintainers. I appreciate your pov, however. That is a good point. Sadly I'd say I do not trust a large portion of our maintainers to do the right thing and not abuse the variable in the long run simply because they do not know how to fix a pkg properly. vs say exporting env variables all over the place (bloating ebuilds even more) a single file does offer quite a few advantages. In addition a single file could be directly parsed by the scanelf util and be simply told to ignore the additional QA checks using fnmatch() for paths or so. It would also provide an easy overview of whats messed up in the tree. shrug... [snip] > Heh - here's another idea for you to hate: > > QA_OVERRIDE="EXECSTACK=... > x86? ( TEXTRELS=... )" /me hates that also. -- Ned Ludd <[EMAIL PROTECTED]> Gentoo Linux -- gentoo-portage-dev@gentoo.org mailing list
Re: [gentoo-portage-dev] [rfc] variable naming for marking binaries as QA ignorable
On Sun, 5 Mar 2006 20:46:25 -0500 Mike Frysinger <[EMAIL PROTECTED]> wrote: > On Sunday 05 March 2006 19:48, Kevin F. Quinn (Gentoo) wrote: > > This could be done via the profiles, perhaps - package.qa, something > > like package.mask/use/keywords: > > i hate such things ... imo this information should stay in the ebuild > and nowhere else ... I was thinking that the data would be "owned" by the QA team rather than the package maintainers. I appreciate your pov, however. There may be benefit in being able to set it differently for each profile; for example a hardened (PaX NOELFRELOCS) profile might always have QA_TEXTRELS set empty (i.e. anything with TEXTRELs would fail to install, as it'd fail to run anyway). However package maintainers in general aren't going to like yet more special-casing for the non-mainstream profiles. Anyway, that aside - if you're going for a QA__ naming, you could use QA_ where there's no arch difference, supplying others where necessary such that if QA__ exists it takes precedence over QA_. Otherwise you'll end up adding a whole set of variables to all affected ebuilds. Admittedly there aren't that many of them so it may not be worth the hassle. Heh - here's another idea for you to hate: QA_OVERRIDE="EXECSTACK=... x86? ( TEXTRELS=... )" -- Kevin F. Quinn signature.asc Description: PGP signature
Re: [gentoo-portage-dev] [rfc] variable naming for marking binaries as QA ignorable
On Sun, 5 Mar 2006 20:46:25 -0500 Mike Frysinger <[EMAIL PROTECTED]> wrote: > On Sunday 05 March 2006 19:48, Kevin F. Quinn (Gentoo) wrote: > > Ned Ludd <[EMAIL PROTECTED]> wrote: > > > On Fri, 2006-03-03 at 23:32 -0500, Mike Frysinger wrote: > > > > so we've found some cases where a package installs objects that > > > > either need to be ignored by some of the scanelf checks ... > > > > > > > > ... > > > > > > > > what this e-mail is about is naming convention ... i'm thinking > > > > that an ebuild sets up a variable with a list of relative paths > > > > to $D of files that should be skipped for various checks ... so > > > > with slmodem, we'd have like: QA_EXEC_STACK="usr/sbin/slmodemd > > > > usr/sbin/slmodem_test" > > > > > > > > if, in the future, we need to add an ignore list for TEXTRELs, > > > > we'd use QA_TEXTRELS="" > > > > > > This becomes tricky when looking at tests across all CHOSTs. > > > What holds true for one arch defiantly is not the case for others. > > > > This could be done via the profiles, perhaps - package.qa, something > > like package.mask/use/keywords: > > i hate such things ... imo this information should stay in the ebuild > and nowhere else ... > > be trivial to expand the support like: > QA_TEXTRELS="..." # for all arches > QA_TEXTRELS_arch="..." # for just one arch > > so in the case of slmodem: > QA_EXEC_STACK="usr/sbin/slmodemd" > in the case of some other package that only has issues on x86: > QA_EXEC_STACK_x86="some/foo" > > this thread was about the naming convention :P > does QA_EXEC_STACK and QA_TEXTRELS work for people ? Personally I'd call it QA_IGNORE_*, but that's just me. Marius -- Public Key at http://www.genone.de/info/gpg-key.pub In the beginning, there was nothing. And God said, 'Let there be Light.' And there was still nothing, but you could see a bit better. -- gentoo-portage-dev@gentoo.org mailing list
Re: [gentoo-portage-dev] [rfc] variable naming for marking binaries as QA ignorable
On Sun, 2006-03-05 at 20:46 -0500, Mike Frysinger wrote: [snip] > be trivial to expand the support like: > QA_TEXTRELS="..." # for all arches > QA_TEXTRELS_arch="..." # for just one arch > > so in the case of slmodem: > QA_EXEC_STACK="usr/sbin/slmodemd" > in the case of some other package that only has issues on x86: > QA_EXEC_STACK_x86="some/foo" > > this thread was about the naming convention :P > does QA_EXEC_STACK and QA_TEXTRELS work for people ? > -mike I'd prefer EXECSTACK as one word to follow suit with ld, but otherwise works for me. -- Ned Ludd <[EMAIL PROTECTED]> Gentoo Linux -- gentoo-portage-dev@gentoo.org mailing list
Re: [gentoo-portage-dev] [rfc] variable naming for marking binaries as QA ignorable
On Sunday 05 March 2006 19:48, Kevin F. Quinn (Gentoo) wrote: > Ned Ludd <[EMAIL PROTECTED]> wrote: > > On Fri, 2006-03-03 at 23:32 -0500, Mike Frysinger wrote: > > > so we've found some cases where a package installs objects that > > > either need to be ignored by some of the scanelf checks ... > > > > > > ... > > > > > > what this e-mail is about is naming convention ... i'm thinking > > > that an ebuild sets up a variable with a list of relative paths to > > > $D of files that should be skipped for various checks ... so with > > > slmodem, we'd have like: QA_EXEC_STACK="usr/sbin/slmodemd > > > usr/sbin/slmodem_test" > > > > > > if, in the future, we need to add an ignore list for TEXTRELs, we'd > > > use QA_TEXTRELS="" > > > > This becomes tricky when looking at tests across all CHOSTs. > > What holds true for one arch defiantly is not the case for others. > > This could be done via the profiles, perhaps - package.qa, something > like package.mask/use/keywords: i hate such things ... imo this information should stay in the ebuild and nowhere else ... be trivial to expand the support like: QA_TEXTRELS="..." # for all arches QA_TEXTRELS_arch="..." # for just one arch so in the case of slmodem: QA_EXEC_STACK="usr/sbin/slmodemd" in the case of some other package that only has issues on x86: QA_EXEC_STACK_x86="some/foo" this thread was about the naming convention :P does QA_EXEC_STACK and QA_TEXTRELS work for people ? -mike -- gentoo-portage-dev@gentoo.org mailing list
Re: [gentoo-portage-dev] [rfc] variable naming for marking binaries as QA ignorable
On Sat, 04 Mar 2006 19:56:41 -0500 Ned Ludd <[EMAIL PROTECTED]> wrote: > On Fri, 2006-03-03 at 23:32 -0500, Mike Frysinger wrote: > > so we've found some cases where a package installs objects that > > either need to be ignored by some of the scanelf checks ... > > > > ... > > > > what this e-mail is about is naming convention ... i'm thinking > > that an ebuild sets up a variable with a list of relative paths to > > $D of files that should be skipped for various checks ... so with > > slmodem, we'd have like: QA_EXEC_STACK="usr/sbin/slmodemd > > usr/sbin/slmodem_test" > > > > if, in the future, we need to add an ignore list for TEXTRELs, we'd > > use QA_TEXTRELS="" > > This becomes tricky when looking at tests across all CHOSTs. > What holds true for one arch defiantly is not the case for others. This could be done via the profiles, perhaps - package.qa, something like package.mask/use/keywords: net-dialup/slmodem QA_EXECSTACK="..." QA_TEXTRELS="..." -- Kevin F. Quinn signature.asc Description: PGP signature
Re: [gentoo-portage-dev] [rfc] variable naming for marking binaries as QA ignorable
On Fri, 2006-03-03 at 23:32 -0500, Mike Frysinger wrote: > so we've found some cases where a package installs objects that either need > to > be ignored by some of the scanelf checks ... > > first off, we have kernel binary objects that a package installs (the h*modem > packages do this), so they should not be subjected to the exec stack scans > > next up is the slmodem package ... this puppy is partly binary only and we > have no access to the source code and upstream is dead ... one of the > pre-built binary objects has an exec stack enabled via gcc (meaning it's a > legit use of exec stack) ... so we need to skip that > > what this e-mail is about is naming convention ... i'm thinking that an > ebuild > sets up a variable with a list of relative paths to $D of files that should > be skipped for various checks ... so with slmodem, we'd have like: > QA_EXEC_STACK="usr/sbin/slmodemd usr/sbin/slmodem_test" > > if, in the future, we need to add an ignore list for TEXTRELs, we'd use > QA_TEXTRELS="" This becomes tricky when looking at tests across all CHOSTs. What holds true for one arch defiantly is not the case for others. -- Ned Ludd <[EMAIL PROTECTED]> Gentoo Linux -- gentoo-portage-dev@gentoo.org mailing list
[gentoo-portage-dev] [rfc] variable naming for marking binaries as QA ignorable
so we've found some cases where a package installs objects that either need to be ignored by some of the scanelf checks ... first off, we have kernel binary objects that a package installs (the h*modem packages do this), so they should not be subjected to the exec stack scans next up is the slmodem package ... this puppy is partly binary only and we have no access to the source code and upstream is dead ... one of the pre-built binary objects has an exec stack enabled via gcc (meaning it's a legit use of exec stack) ... so we need to skip that what this e-mail is about is naming convention ... i'm thinking that an ebuild sets up a variable with a list of relative paths to $D of files that should be skipped for various checks ... so with slmodem, we'd have like: QA_EXEC_STACK="usr/sbin/slmodemd usr/sbin/slmodem_test" if, in the future, we need to add an ignore list for TEXTRELs, we'd use QA_TEXTRELS="" -mike -- gentoo-portage-dev@gentoo.org mailing list
