Bugzilla – Bug 150940
reject packages with binaries that contain still debug info
Last modified: 2008-07-16 15:45:37 UTC
libicu.rpm contains libraries with mode 644, find-debuginfo.sh will not extract the debug sections. This patch will catch such packages. But I'm not sure if it triggers false positives. The files below /usr/lib/debug and /usr/src/debug should have mode 644.
Created attachment 68451 [details] debuginfo.patch
Rudi & Co, what do you think?
File thinks that all files stripped with objcopy --strip-debug are still unstripped, so the strip check would break for all kernel modules. Can we set up a policy whether our libraries should be executable or not, and enforce this instead?
/lib/modules/2.6.16-rc3-5-ppc64/kernel/fs/nfsd/nfsd.ko: ELF 64-bit MSB relocatable, cisco 7500, version 1 (SYSV), not stripped it will not hurt, unless I misunderstood what you said.
Exit 1 in find-debuginfo.sh doesn't seem like a good idea to me. I'm not sure if that aborts the build though.
it does, and it should. Is there any package that has executables in a 'debug' directory?
This will print all files that don't have /debug in their path, which applies to all kernel modules: find ${RPM_BUILD_ROOT} -path '*/debug' -prune -o -type f -print0 So the script would exit with 1 for all kernels --- not good.
yeah, I got the order wrong, the nfsd will of course fail the build. find ${RPM_BUILD_ROOT} \( -path '*/debug' -o -path /boot -o -path /lib/modules \) -prune -o -type f -print0 this may work better.
Still my point from comment 3 remains: shouldn't we ensure that all libraries are executable instead, or change the debug split code to no longer only check executables?
the mode check is ok, otherwise it would take to long to look into each binary and check if its something usable. no idea how big the slowdown would be. and poking around further on snowberry, these packages have still debuginfo in it :( file /*bin/* /usr/*bin/* /lib*/* /usr/lib*/* | grep -E 'not stripped' | grep -vw 64-bit | cut -f 1 -d : | xargs rpm -qf | sort -u cdparanoia-IIIalpha9.8-551 glibc-2.3.90-64 glibc-devel-2.3.90-64 libacl-2.2.34-2 libattr-2.4.28-2 libcap-1.92-489 libcdio-0.76-3 libmikmod-3.1.11-3 mDNSResponder-107.5-2 nscd-2.3.90-64 openldap2-client-2.3.19-2 permissions-2006.1.25-1 slang-2.0.5-3 tcpd-7.6-720 timezone-2.3.90-64 vcdimager-0.7.23-6 xfsprogs-2.7.11-4 glibc may be special. maybe add yet another variable to not fail the build.
ok, some of the above simply have no -debuginfo package.
As Andreas also already wrote the output of 'file' is unreliable. Sometimes the files only contain a symbol table, but not real debug information. E.g. glibc: % file /lib/power4/libthread_db-1.0.so /lib/power4/libthread_db-1.0.so: ELF 32-bit MSB shared object, PowerPC or cisco 4500, version 1 (SYSV), for GNU/Linux 2.6.4, not stripped % readelf -e /lib/power4/libthread_db-1.0.so | grep debug [29] .gnu_debuglink PROGBITS 00000000 007aae 000020 00 0 0 1 %
ok, should I uead readelf instead of file? what would be the pattern? In case of /usr/bin/chkstat, I see on the stripped binary: @@ -49,9 +49,7 @@ [25] .sbss NOBITS 100131b0 0031b0 000018 00 WA 0 0 4 [26] .bss NOBITS 100131c8 0031b0 00000c 00 WA 0 0 4 [27] .comment PROGBITS 00000000 0031b0 000173 00 0 0 1 - [28] .shstrtab STRTAB 00000000 003323 0000f5 00 0 0 1 - [29] .symtab SYMTAB 00000000 0038f0 000e40 10 30 48 4 - [30] .strtab STRTAB 00000000 004730 000b26 00 0 0 1 + [28] .shstrtab STRTAB 00000000 003323 0000e5 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), x (unknown)
If a binary or shared lib is not handled by find-debuginfo (i.e. the debuginfo separated) it will contain these DWARF2 sections: [23] .debug_aranges PROGBITS 00000000 0087e0 000118 00 0 0 8 [24] .debug_pubnames PROGBITS 00000000 0088f8 000409 00 0 0 1 [25] .debug_info PROGBITS 00000000 008d01 00581d 00 0 0 1 [26] .debug_abbrev PROGBITS 00000000 00e51e 000abd 00 0 0 1 [27] .debug_line PROGBITS 00000000 00efdb 001496 00 0 0 1 [28] .debug_frame PROGBITS 00000000 010474 000888 00 0 0 4 [29] .debug_str PROGBITS 00000000 010cfc 000c7e 01 0 0 1 [30] .debug_loc PROGBITS 00000000 01197a 00562d 00 0 0 1 [31] .debug_ranges PROGBITS 00000000 016fa7 001240 00 0 0 1 greping for just .debug_info is probably safest, it's the main debug information section. An ELF file with separate debug info can be detected by existence of the ".gnu_debuglink" option. An ELF file without any debug info has neither, but still can have the .symtab and .strtab sections. Those would be striped by a simple-minded 'strip' command, but that would remove usefull information for backtraces, so we leave those in the binaries.
Ok, will look for a better patch. libicu from beta3 doesnt have any .debug_* sections. Maybe rpm scripts removed it in some other way.
libicu is a subpackage of icu. The -debuginfo packages are created in <main>-debuginfo, also for all subpackages. The shared libraries in libicu.rpm should all contain a .gnu_debuglink section.
Created attachment 68711 [details] find-debuginfo.patch look at all files, file would have done it anyway. force permissions of all debug related files.
your patch doesn't fix "find" being unreliable source. it should use objdump -h | grep debug_info (or similiar).
can you provide a better patch?
interesting abuse of NEEDINFO :)
Created attachment 69111 [details] dmueller's find-debuginfo patch
list of affected files (from my workstation): would strip /usr/X11R6/lib/X11/locale/lib/common/xlcDef.so.2 would strip /usr/X11R6/lib/X11/locale/lib/common/xlcUTF8Load.so.2 would strip /usr/X11R6/lib/X11/locale/lib/common/xlibi18n.so.2 would strip /usr/X11R6/lib/X11/locale/lib/common/xlocale.so.2 would strip /usr/X11R6/lib/X11/locale/lib/common/xomGeneric.so.2 would strip /usr/X11R6/lib/modules/dri/atiogl_a_dri.so would strip /usr/X11R6/lib/modules/dri/fglrx_dri.so would strip /usr/X11R6/lib/modules/input/gunze_drv.so would strip /usr/X11R6/lib/modules/input/synaptics_drv.so would strip /usr/bin/gnutls-cli-debug would strip /usr/bin/cdxa2mpeg would strip /usr/bin/vcd-info would strip /usr/bin/vcdimager would strip /usr/bin/vcdxbuild would strip /usr/bin/vcdxgen would strip /usr/bin/vcdxminfo would strip /usr/bin/vcdxrip would strip /usr/bin/isodebug would strip /usr/bin/debugsh would strip /usr/lib/browser-plugins/nphelix.so would strip /usr/lib/browser-plugins/libdragonegg.so would strip /usr/lib/browser-plugins/nsdejavu.so would strip /usr/lib/pt_chown would strip /usr/lib/slang/v2/modules/select-module.so would strip /usr/lib/slang/v2/modules/fcntl-module.so would strip /usr/lib/slang/v2/modules/termios-module.so would strip /usr/lib/slang/v2/modules/slsmg-module.so would strip /usr/lib/slang/v2/modules/varray-module.so would strip /usr/lib/perl5/vendor_perl/5.8.8/i586-linux-thread-multi/LibStorage.so would strip /usr/lib/gcc/i586-suse-linux/4.1.0/libgcc_s.so.1 would strip /usr/lib/gnupg/gpgkeys_ldap would strip /usr/lib/libimnxcert.a would strip /usr/lib/rpm/debugedit would strip /usr/lib/libmikmod.so.2.0.4 would strip /usr/lib/libslang.so.2.0.5 would strip /usr/lib/dvb/ci_highlevel.so would strip /usr/lib/dvb/ci_linklayer.so would strip /usr/lib/libvcdinfo.so.0.2.0 would strip /usr/lib/libcdda_interface.so.0.9.8 would strip /usr/lib/libcdda_paranoia.so.0.9.8 would strip /usr/lib/torcs/drivers/berniw/berniw.so would strip /usr/lib/torcs/drivers/berniw2/berniw2.so would strip /usr/lib/torcs/drivers/berniw3/berniw3.so would strip /usr/lib/torcs/drivers/bt/bt.so would strip /usr/lib/torcs/drivers/cylos1/cylos1.so would strip /usr/lib/torcs/drivers/damned/damned.so would strip /usr/lib/torcs/drivers/human/human.so would strip /usr/lib/torcs/drivers/inferno/inferno.so would strip /usr/lib/torcs/drivers/inferno2/inferno2.so would strip /usr/lib/torcs/drivers/lliaw/lliaw.so would strip /usr/lib/torcs/drivers/olethros/olethros.so would strip /usr/lib/torcs/drivers/sparkle/sparkle.so would strip /usr/lib/torcs/drivers/tanhoj/tanhoj.so would strip /usr/lib/torcs/drivers/tita/tita.so would strip /usr/lib/torcs/lib/libconfscreens.so would strip /usr/lib/torcs/lib/libclient.so would strip /usr/lib/torcs/lib/libraceengine.so would strip /usr/lib/torcs/lib/liblearning.so would strip /usr/lib/torcs/lib/libracescreens.so would strip /usr/lib/torcs/lib/librobottools.so would strip /usr/lib/torcs/lib/libtgf.so would strip /usr/lib/torcs/lib/libtgfclient.so would strip /usr/lib/torcs/lib/libtxml.so would strip /usr/lib/torcs/modules/graphic/ssggraph.so would strip /usr/lib/torcs/modules/simu/simuv2.so would strip /usr/lib/torcs/modules/telemetry/telemetry.so would strip /usr/lib/torcs/modules/track/track.so would strip /usr/lib/libicui18n.so.34.0 would strip /usr/lib/libicuio.so.34.0 would strip /usr/lib/libicule.so.34.0 would strip /usr/lib/libiculx.so.34.0 would strip /usr/lib/libxvidcore.so.4.1 would strip /usr/lib/libQtCore_debug.so.4.1.0 would strip /usr/lib/libQt3Support_debug.so.4.1.0 would strip /usr/lib/libQtDesignerComponents_debug.so.4.1.0 would strip /usr/lib/libQtDesigner_debug.so.4.1.0 would strip /usr/lib/libQtGui_debug.so.4.1.0 would strip /usr/lib/libQtNetwork_debug.so.4.1.0 would strip /usr/lib/libQtOpenGL_debug.so.4.1.0 would strip /usr/lib/libQtSvg_debug.so.4.1.0 would strip /usr/lib/libQtXml_debug.so.4.1.0 would strip /usr/lib/libicutu.so.34.0 would strip /usr/lib/libicuuc.so.34.0 would strip /usr/lib/libdjvulibre.so.15.1.0 would strip /usr/lib/libQtTest_debug.so.4.1.0 would strip /usr/lib/libQtSql_debug.so.4.1.0 would strip /usr/local/sbin/blktool would strip /usr/sbin/fix_chs would strip /usr/share/doc/packages/gnutls/examples/.libs/ex-cert-select would strip /usr/share/doc/packages/gnutls/examples/.libs/ex-client-resume would strip /usr/share/doc/packages/gnutls/examples/.libs/ex-client-srp would strip /usr/share/doc/packages/gnutls/examples/.libs/ex-client1 would strip /usr/share/doc/packages/gnutls/examples/.libs/ex-client2 would strip /usr/share/doc/packages/gnutls/examples/.libs/ex-crq would strip /usr/share/doc/packages/gnutls/examples/.libs/ex-serv-anon would strip /usr/share/doc/packages/gnutls/examples/.libs/ex-serv-export would strip /usr/share/doc/packages/gnutls/examples/.libs/ex-serv-pgp would strip /usr/share/doc/packages/gnutls/examples/.libs/ex-serv-srp would strip /usr/share/doc/packages/gnutls/examples/.libs/ex-serv1 would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/io1 would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/io2 would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/parse1 would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/parse2 would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/parse3 would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/parse4 would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/reader1 would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/reader2 would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/reader3 would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/reader4 would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/testWriter would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/tree1 would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/tree2 would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/xpath1 would strip /usr/share/doc/packages/libxml2-devel/examples/.libs/xpath2 would strip /usr/share/doc/packages/slang-devel/modules/fcntl-module.so would strip /usr/share/doc/packages/slang-devel/modules/select-module.so would strip /usr/share/doc/packages/slang-devel/modules/termios-module.so would strip /usr/share/doc/packages/slang-devel/modules/slsmg-module.so would strip /usr/share/doc/packages/slang-devel/modules/varray-module.so would strip /usr/share/doc/packages/slang-devel/slsh/slsh
this removes the warning. bad to find offenders. doesnt force 644 permissions. also, not all of the files are part of a package which has a -debuginfo.rpm
Created attachment 69116 [details] new patch well, the patch was only a replacement for the first hunk of your patch obviously.
and what do you mean by "not all of the files are part of a package which has a -debuginfo.rpm" ? Wasn't that part of the story of fixing debuginfo support ?!
master-boot-code has no -debuginfo. your patch will likely work.
can you submit a package to BETA to see what breaks?
never mind, did so myself.
Status?
ready.
Its either waiting for debuginfo's to be enabled in BETA or being copied over to STABLE.
ping.. nothing happening..
submitted to STABLE.