On Fri, 04 Feb 2022 at 13:07:53 +0800, Paul Wise wrote: > Vagrant Cascadian wrote: > > Over the last several months, I and others have found quite a few > > packages that embed build paths via rpath when building with cmake. > > This seems like the sort of thing that will be an ongoing problem, so > if it is detectable statically then a lintian warning might be good.
For packages that (intentionally or unintentionally) still have a RPATH or RUNPATH in their installed files, https://lintian.debian.org/tags/custom-library-search-path detects it. You'll see that many of them are overridden as being necessary and intentional. For packages where the RPATH or RUNPATH is temporarily set during build (to be able to run unit tests without setting LD_LIBRARY_PATH) but then removed before installation with `chrpath -d` or equivalent code in CMake, I don't think this is going to be detectable statically, because the only traces left in the final binary are: - the build-ID will be different, because the RPATH/RUNPATH was part of the data that gets hashed to create the build-ID - if the length of the build directory changes, then the block of zero bytes that previously contained the RPATH/RUNPATH (before it was overwritten) will have a different length This is the sort of thing that can probably only be detected by literally doing two builds (in different directories) and comparing them with diffoscope, or possibly by screen-scraping build logs like blhc does. smcv
