On 2022-02-04, Simon McVittie wrote: > On Fri, 04 Feb 2022 at 13:07:53 +0800, Paul Wise wrote: >> Vagrant Cascadian wrote: >> > Over the last several months, I and others have found quite a few >> > packages that embed build paths via rpath when building with cmake. >> >> This seems like the sort of thing that will be an ongoing problem, so >> if it is detectable statically then a lintian warning might be good. > > For packages that (intentionally or unintentionally) still have a RPATH > or RUNPATH in their installed files, > https://lintian.debian.org/tags/custom-library-search-path detects it. > You'll see that many of them are overridden as being necessary and > intentional. I was hoping to find a few of the cmake packages on there (e.g. /build/PACKAGE-*/PACKAGE-VERSION), but it appears the only ones on that list do not use cmake to build... > For packages where the RPATH or RUNPATH is temporarily set during build > (to be able to run unit tests without setting LD_LIBRARY_PATH) but then > removed before installation with `chrpath -d` or equivalent code in CMake, > I don't think this is going to be detectable statically, because the > only traces left in the final binary are: > > - the build-ID will be different, because the RPATH/RUNPATH was part of > the data that gets hashed to create the build-ID > - if the length of the build directory changes, then the block of zero > bytes that previously contained the RPATH/RUNPATH (before it was > overwritten) will have a different length But clearly some of the above is happening... > This is the sort of thing that can probably only be detected by literally > doing two builds (in different directories) and comparing them with > diffoscope Yeah, that's pretty much the conclusion I came to. > or possibly by screen-scraping build logs like blhc does. That could be an interesting approach, though relies on fairly verbose build logs. Thanks! live well, vagrant p.s. please CC me and/or reproducible-builds@lists.alioth.debian.org, I'm not subscribed to debian-devel.
Attachment:
signature.asc
Description: PGP signature