[License-discuss] Storing source artifacts in ELF files (was: RE: [Non-DoD Source] Re: Discussion: AGPL and Open Source Definition conflict)

[Karan, Cem F CIV USARMY CCDC ARL (USA)]

Bruce Perens <bruce at perens.com> wrote on Monday, October 7, 2019 3:52 PM:
> Rather than do this, why not just make an existing 
> archive format executable? Just sticking #! and the 
> interpreter name at the front should be sufficient. 
> If you execute it, it extracts and runs a native 
> executable for your architecture, or one for any 
> interpreter such as the JVM. That can be the first 
> file. Then the rest of the files are the source.

Yeah, but the advantage of having it in the ELF file is that you don't need to execute the file to get at the source; you use trusted tools you already have on your system.  For the security conscious, you can do the following:
- Download the untrusted binary
- Mount the source portion of the ELF file using your trusted mounter
- Inspect the code, and at your option:
	- Ignore the binary entirely, and compile from source
	- Compile from source, recalculate the checksum, and if the checksums don't match, start warning everyone you can find.
	
SEAs require you to trust that the archive is not malicious.

Thanks,
Cem Karan

---
Other than quoted laws, regulations or officially published policies, the views expressed herein are not intended to be used as an authoritative state of the law nor do they reflect official positions of the U.S. Army, Department of Defense or U.S. Government.