Bug#909267: library-not-linked-against-libc: downgrade from error
- To: Russ Allbery <rra@debian.org>, 909267@bugs.debian.org
- Cc: Jeremy Bicha <jbicha@debian.org>, lamby@debian.org, Simon McVittie <smcv@debian.org>, naesten@gmail.com
- Subject: Bug#909267: library-not-linked-against-libc: downgrade from error
- From: Guillem Jover <guillem@debian.org>
- Date: Sat, 6 Oct 2018 17:33:18 +0200
- Message-id: <[🔎] 20181006153318.GA30351@gaara.hadrons.org>
- Reply-to: Guillem Jover <guillem@debian.org>, 909267@bugs.debian.org
- In-reply-to: <87pnx71z49.fsf@hope.eyrie.org>
- References: <1537461750.2004232.1514996608.71C30A1F@webmail.messagingengine.com> <20180920203714.GA10668@espresso.pseudorandom.co.uk> <CAAajCMb1+2fU47vrP-ZLxBGVrWb4HJGEx3aanNnPZ=2nDoZ-1A@mail.gmail.com> <1537478889.2097863.1515316640.769120E9@webmail.messagingengine.com> <874lejyfs7.fsf@hope.eyrie.org> <CAAajCMZtt1CvdL16z-29f8qiVazfOBVuWK5iU_H6Lx-=mfi4XQ@mail.gmail.com> <CAAajCMb1+2fU47vrP-ZLxBGVrWb4HJGEx3aanNnPZ=2nDoZ-1A@mail.gmail.com> <87pnx71z49.fsf@hope.eyrie.org> <CAAajCMb1+2fU47vrP-ZLxBGVrWb4HJGEx3aanNnPZ=2nDoZ-1A@mail.gmail.com>
Hi!
On Thu, 2018-09-20 at 17:19:02 -0700, Russ Allbery wrote:
> Jeremy Bicha <jbicha@debian.org> writes:
> > On Thu, Sep 20, 2018 at 6:18 PM Russ Allbery <rra@debian.org> wrote:
> >> Maybe exclude shared libraries linked with glib (and whatever the Qt
> >> equivalent is)?
>
> > One package that triggers this tag a lot is samba and it doesn't use
> > glib or qt.
>
> > https://lintian.debian.org/maintainer/pkg-samba-maint@lists.alioth.debian.org.html#samba
>
> I wonder if we would get all of the utility out of the tag if instead it
> looked for shared libraries with no NEEDED metadata. I think it's only
> catching libraries that aren't linked with anything else, so maybe just
> check for that explicitly?
Yeah probably better than the status-quo. Any kind of plugin would need
to be excluded though, because it might simply be using symbols from the
loading binary (via -rdynamic). It would still emit false-positives for
any library that implements language run-times or does syscall wrapping.
This might include any new language implementing their own lib<lang>.so
and not basing that on libc.so, or even things like libaio.so, which for
a while did not need to be linked against libc! (Although for probably
bad reasons, because reimplementing syscall(2) is not very sane, or
even using _syscall(2) which might have not pulled the dep. :)
So, I'd say the trade-off is worth it, as there's definitely going to
be way less false-positives on language run-time libraries, than the
current false-positives.
Thanks,
Guillem
Reply to: