[License-discuss] Storing source artifacts in ELF files

Karan, Cem F CIV USARMY CCDC ARL (USA) cem.f.karan.civ at mail.mil
Tue Oct 8 13:19:03 UTC 2019


Howard Chu wrote on Monday, October 7, 2019 7:42 PM:

> Karan, Cem F CIV USARMY CCDC ARL (USA) via License-discuss wrote:
> > Thorsten Glaser wrote on Monday, October 7, 2019 5:14 PM:
> >> To: license-discuss at lists.opensource.org
> >>> SEAs require you to trust that the archive is not malicious.
> >>
> >> This is true for all archive format…
> >
> > No.  There are plenty of archive formats that you don't execute directly, but execute a different program to access the contents of the
> archive (try executing a standard tar file directly, unless your systems has been configured to untar it and then execute it, it won't work).
> 
> Nonsense. That's simply a matter of circumstance in that no one has bothered to write a self-extracting wrapper for tar files yet. I could
> whip one up in 10 minutes.

So could I, but that's not the point here.  The point is where you place your trust; in the SEA, or in the tools that shipped with your distro?  My distro's tar has been examined by a large number of people, and is running on a lot of machines.  I can also dig into its code.  So using it (and other tools in my distro) to mount the archive portion of the ELF file is relatively safe (ignoring bugs in the tar implementation).

However, with a SEA, I have to trust the code *in the SEA* to not be malicious.  Maybe you wrote a wrapper, and maybe you wrote a bit of ransomware, I won't know until I run it (or deliberately use other tools to examine it, assuming you haven't decided to encrypt it, etc.).


Thanks,
Cem Karan

---
Other than quoted laws, regulations or officially published policies, the views expressed herein are not intended to be used as an authoritative state of the law nor do they reflect official positions of the U.S. Army, Department of Defense or U.S. Government.




More information about the License-discuss mailing list