Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create and install dependency manifests #230

Closed
wants to merge 2 commits into from
Closed

Create and install dependency manifests #230

wants to merge 2 commits into from

Conversation

jpakkane
Copy link
Member

@jpakkane jpakkane commented Aug 17, 2015

A common problem when embedding sources is that you can't tell for any given executable what libraries it has. It might have an insecure version of OpenSSL, for example. This MR adds a dependency manifest, which lists each internally used dependency and its version. With this information it is easy to find executables that have unsafe dependencies and prevent them from running.

The format of the file is not final, more of a suggestion to get the ball rolling.

@ignatenkobrain
Copy link
Member

@ignatenkobrain ignatenkobrain commented Aug 17, 2015

Why we really want to instal json to the system?

@jpakkane
Copy link
Member Author

@jpakkane jpakkane commented Aug 17, 2015

For distro packaging we wouldn't. That's why they are not installed by default.

This is for xdg-app applications and the like that embed their dependencies. This allows a distro security system to inspect the dependencies against a blacklist and block the app from running if it has vulnerable parts.

outdir = libdir
outdir = self.target_install_dir(t)
if isinstance(t, build.Executable) and self.build.install_dependency_manifests:
mf_src = self.get_target_filename(t) + '.dependencies.json'
Copy link
Member

@ignatenkobrain ignatenkobrain Aug 18, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not '%s.dependencies.json' % self.get_target_filename(t)? Let's use this for all string operations.

@jpakkane
Copy link
Member Author

@jpakkane jpakkane commented Aug 22, 2015

This has been superseded.

@jpakkane jpakkane closed this Aug 22, 2015
@jpakkane jpakkane deleted the depmanifest branch Dec 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants