Hi, Vagrant Cascadian <vagr...@debian.org> skribis:
> On 2019-03-09, Ludovic Courtès wrote: >> Vagrant Cascadian <vagr...@debian.org> skribis: >>> On 2019-03-08, Ludovic Courtès wrote: >>>> Vagrant Cascadian <vagr...@debian.org> skribis: >>>> In addition, we can add a ‘lint’ checker for this case, WDYT? >>> >>> Does the lint checker have a way to identify a confidence level, >>> e.g. *maybe* it has this issue vs. *certainly*? Is there a way to >>> override the lint checker issues for known false positives? Otherwise, >>> it might just be annoying noise for packagers where it isn't >>> appropriate. >> >> No it doesn’t have that notion of a confidence level. > > And I presume no overrides either, given no comment about that? We could arrange for this lint “checker” to honor some per-package property that would silence it. We do that with the ‘cve’ checker and the ‘lint-hidden-cve’ property. >> The warning could be triggered only when a package is GPL’d and has a >> direct dependency on OpenSSL (we’d forget about indirect dependencies in >> this case.) The noise would be rather limited and justified in this >> case, I think. WDYT? > > The openssl package currently ships the "openssl" binary, as well as the > libraries. I suspect there are at least three potential cases where a > package might depend on it: > > * Calls the "openssl" binary as part of test suite or run-time. No > licensing compatibility issue, no worries! > > * Using include files from the openssl headers; I guess you could search > for "include .* openssl/*.h" in the source code. Might get some false > positives. Can be run without actually even building it. > > * Linking against the library which should actually be easy to detect > with ldd or other tools. Would need to build and then run the checks to > be sure. So for the 1st case we’d definitely need that property to tell ‘lint’ that everything is known-good. ‘guix lint’ does very inexpensive tests, so unpacking the tarball and grepping it would be beyond its scope. However, if we can provide the warning and people have a way to silence it, I guess we’re fine? Thanks, Ludo’.
