[License-discuss] Storing source artifacts in ELF files (was: RE: [Non-DoD Source] Re: Discussion: AGPL and Open Source Definition conflict)

Bruce Perens bruce at perens.com
Mon Oct 7 20:34:21 UTC 2019


There aren't actually trusted tools on the system to get the source from an
ELF. There may be tools, but they are not trusted, because nobody uses them
in their normal lives. Put 512 bytes in front of a TAR archive, with the
"#! /bin/source_embedded\n" string at the start, and you are done. The
interpreter just extracts and runs the executable from the first file in
the archive. You can use "dd" to strip off the header and use the "tar"
command, both of which you ARE familiar with, unlike some odd flag to a
tool to extract an ELF segment.

On Mon, Oct 7, 2019 at 1:08 PM Karan, Cem F CIV USARMY CCDC ARL (USA) <
cem.f.karan.civ at mail.mil> wrote:

> Bruce Perens <bruce at perens.com> wrote on Monday, October 7, 2019 3:52 PM:
> > Rather than do this, why not just make an existing
> > archive format executable? Just sticking #! and the
> > interpreter name at the front should be sufficient.
> > If you execute it, it extracts and runs a native
> > executable for your architecture, or one for any
> > interpreter such as the JVM. That can be the first
> > file. Then the rest of the files are the source.
>
> Yeah, but the advantage of having it in the ELF file is that you don't
> need to execute the file to get at the source; you use trusted tools you
> already have on your system.  For the security conscious, you can do the
> following:
> - Download the untrusted binary
> - Mount the source portion of the ELF file using your trusted mounter
> - Inspect the code, and at your option:
>         - Ignore the binary entirely, and compile from source
>         - Compile from source, recalculate the checksum, and if the
> checksums don't match, start warning everyone you can find.
>
> SEAs require you to trust that the archive is not malicious.
>
> Thanks,
> Cem Karan
>
> ---
> Other than quoted laws, regulations or officially published policies, the
> views expressed herein are not intended to be used as an authoritative
> state of the law nor do they reflect official positions of the U.S. Army,
> Department of Defense or U.S. Government.
>
>
>
>

-- 
Bruce Perens - Partner, OSS.Capital.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20191007/608862b6/attachment.html>


More information about the License-discuss mailing list