[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1060839: ITP: golang-github-adamkorcz-go-fuzz-headers-1 -- helper functions for Go fuzzing (library)

On Tue, Jan 16, 2024 at 4:28 AM Simon Josefsson <simon@josefsson.org> wrote:
>
> Shengjing Zhu <zhsj@debian.org> writes:
>
> > On Mon, Jan 15, 2024 at 8:51 PM Simon Josefsson <simon@josefsson.org> wrote:
> >>
> >> Package: wnpp
> >> Severity: wishlist
> >> Owner: Simon Josefsson <simon@josefsson.org>
> >>
> >> * Package name    : golang-github-adamkorcz-go-fuzz-headers-1
> >>   Version         : 0.0~git20230919.8b5d3ce-1
> >>   Upstream Author : Adam Korcz <adam@adalogics.com>
> >> * URL             : https://github.com/AdamKorcz/go-fuzz-headers-1
> >> * License         : Apache-2.0
> >>   Programming Lang: Go
> >>   Description     : helper functions for Go fuzzing (library)
> >>
> >>  Various helper functions for go fuzzing. It is mostly used in combination
> >>  with go-fuzz (https://github.com/dvyukov/go-fuzz), but compatibility with
> >>  fuzzing in the standard library will also be supported. Any coverage guided
> >>  fuzzing engine that provides an array or slice of bytes can be used with
> >>  go-fuzz-headers.
> >>  .
> >>  go-fuzz-headers' approach to fuzzing structs is strongly inspired by
> >>  gofuzz (https://github.com/google/gofuzz).
> >>
> >> I hope to maintain this package as part of Debian Go Packaging Team:
> >>
> >> https://salsa.debian.org/go-team/packages/golang-github-adamkorcz-go-fuzz-headers-1/
> >>
> >
> > Usually we don't run fuzz test when building packages, because it
> > would waste a lot of buildd resource.
> >
> > In theory we don't need any fuzz related libraries. But upstream may
> > mix their unit tests and fuzz tests in one source file, which makes it
> > difficult to strip such tests and their libraries.
> > The Go compiler by default wouldn't run fuzz tests.
> >
> > For packaging rekor, I think all these fuzz tests can be stripped by
> > file names. It seems upstream just puts all fuzz tests in
> > "fuzz_test.go".
>
> What is the best method to modify rekor to not need this dependency?
>
> If rekor can work without this package, I'm happy to avoid packaging it,
> although it is already in NEW.
>
> Looking at code, it seems to be used here:
>
> go.sum:github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230618160516-e936619f9f18 h1:rd389Q26LMy03gG4anandGFC2LW/xvjga5GezeeaxQk=
> go.sum:github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230618160516-e936619f9f18/go.mod h1:fgJuSBrJP5qZtKqaMJE0hmhS2tmRH+44IkfZvjtaf1M=
> hack/tools/go.sum:github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230329111138-12e09aba5ebd h1:1tbEqR4NyQLgiod7vLXSswHteGetAVZrMGCqrJxLKRs=
> hack/tools/go.sum:github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230329111138-12e09aba5ebd/go.mod h1:0vOOKsOMKPThRu9lQMAxcQ8D60f8U+wHXl07SyUw0+U=
> hack/tools/tools.go:    _ "github.com/AdamKorcz/go-fuzz-headers-1"
> hack/tools/go.mod:      github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230329111138-12e09aba5ebd
> pkg/types/hashedrekord/v0.0.1/fuzz_test.go:     fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/types/rpm/v0.0.1/fuzz_test.go:      fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/types/alpine/v0.0.1/fuzz_test.go:   fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/types/alpine/fuzz_test.go:  fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/types/cose/v0.0.1/fuzz_test.go:     fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/types/jar/v0.0.1/fuzz_test.go:      fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/types/rekord/v0.0.1/fuzz_test.go:   fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/types/intoto/v0.0.1/fuzz_test.go:   fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/types/intoto/v0.0.2/fuzz_test.go:   fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/types/tuf/v0.0.1/fuzz_test.go:      fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/types/helm/v0.0.1/fuzz_test.go:     fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/types/dsse/v0.0.1/fuzz_test.go:     fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/types/rfc3161/v0.0.1/fuzz_test.go:  fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/fuzz/alpine_utils.go:       fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/fuzz/fuzz_utils.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> pkg/fuzz/jar_utils.go:  fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
> go.mod: github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230618160516-e936619f9f18
>
> Would we have to patch all of these files?  Or disable building them
> somehow?
>

Just remove these files, either via Files-Excluded in
debian/copyright, or rm in builddir in debian/rules.

> Let's see if we can develop a workaround before ftp-master approves the
> packages...  otherwise maybe it doesn't hurt to use it anyway, and may
> save us time maintaining patches.
>
> /Simon


-- 
Shengjing Zhu
Reply to: