[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989957: pocsuite3/1.7.5-1 [ITP] -- an open-sourced remote vulnerability testing framework.

On Wed, Jun 23, 2021 at 10:21:34PM +0800, Tian Qiao wrote:
> Hi pabs
> 
> > On Jun 23, 2021, at 8:52 PM, Paul Wise <pabs@debian.org> wrote:
> > 
> > On Wed, 2021-06-23 at 18:32 +0800, Tian Qiao wrote:
> > 
> >> On Jun 23, 2021, at 1:06 AM, Tobias Frost wrote:
> >> 
> >>> shellcodes/data/linux/*bin
> >>> - Are they rebuilt during package build?
> >> 
> >> these are similar to static resources, which help users quickly build
> >> shellcode when writing exploit script.
> >> So won’t rebuild during package build.
> > 
> > How were these files created? It looks like they are generated from the
> > assembly files in the src/ subdirectory. All generated files should be
> > built from source at build time, and preferably removed from the
> > upstream source repository and tarballs, or the Debian tarball.
> > 
> > -- 
> > bye,
> > pabs
> > 
> > https://wiki.debian.org/PaulWise
> 
> If these files do not exist, they will be generated at runtime, and the
> corresponding code is at:
> https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/shellcodes/generator.py
> 
> One problem is that some tools are used to generate machine code
> through assembly code, such as nasm, objdump. If these tools do not
> exist on the users system, it is necessary to use pre-generated ones.

Both "nasm" and "objdump" are available in Debian, so you can Recommend: or
Depends: on them (read up the differences in the Debian Policy and decide whats
more appropiate). Or do the build at package build-time…
 
> Although these tools are provided in the upstream source code, but
> there will be copyright conflicts and lintian warnings will be triggered.

Can you expand on the copyright conflicts and lintian warnings?

> So I've ask upstream to provide source-only tarballs, While available at:
> https://github.com/knownsec/pocsuite3/releases <https://github.com/knownsec/pocsuite3/releases> 

Can you expand? (I seems that upstream does have a dfsg tarball... Is that what you mean?)
(For sure you can also do the repacking using Files-Excluded: in d/copyright and an matching
d/watch file; it is strictly not necessry that upstream does it; OTOH it sure makes sense
to ask upstream to remove non-free things generally, but that should benefit everyone. not
only for "dfsg-repacking." (TL;DR: Possibly I got that wrong)

> So, I think it's necessary to keep them.

Well, no. Debian policy is that everything has to be built from its sources.
(So you need to do that at either build time or runtime.)

-- 
tobi
Reply to: