[License-discuss] Storing source artifacts in ELF files (was: RE: [Non-DoD Source] Re: Discussion: AGPL and Open Source Definition conflict)
Karan, Cem F CIV USARMY CCDC ARL (USA)
cem.f.karan.civ at mail.mil
Mon Oct 7 21:15:21 UTC 2019
I get what you're saying, and I see your point. My thought is that the tools would be shipped with distros (which I strongly suspect is what 99% of the people out there will use, rather than roll their own). The tools may actually be simple bash scripts that do exactly what you're saying, or they may be more complex.
Just to be clear, I'm not really sure if these tools would ever really be used; there are a lot of cons, and only a few pros. At the moment, I view this as a form of interesting mental exercise, not a serious effort. View this as a 'can it be done?' type of mental exercise, but don't commit any resources to it, cause neither I nor the US Government are going to recompense you (or anyone else!) in any way shape or form for this! ;)
Thanks,
Cem Karan
---
Other than quoted laws, regulations or officially published policies, the views expressed herein are not intended to be used as an authoritative state of the law nor do they reflect official positions of the U.S. Army, Department of Defense or U.S. Government.
Bruce Perens wrote on Monday, October 7, 2019 4:34 PM:
There aren't actually trusted tools on the system to get the source from an ELF. There may be tools, but they are not trusted, because nobody uses them in their normal lives. Put 512 bytes in front of a TAR archive, with the "#! /bin/source_embedded\n" string at the start, and you are done. The interpreter just extracts and runs the executable from the first file in the archive. You can use "dd" to strip off the header and use the "tar" command, both of which you ARE familiar with, unlike some odd flag to a tool to extract an ELF segment.
On Mon, Oct 7, 2019 at 1:08 PM Karan, Cem F CIV USARMY CCDC ARL (USA) <mailto:cem.f.karan.civ at mail.mil < Caution-mailto:cem.f.karan.civ at mail.mil > > wrote:
Bruce Perens <mailto:bruce at perens.com < Caution-mailto:bruce at perens.com > > wrote on Monday, October 7, 2019 3:52 PM:
> Rather than do this, why not just make an existing
> archive format executable? Just sticking #! and the
> interpreter name at the front should be sufficient.
> If you execute it, it extracts and runs a native
> executable for your architecture, or one for any
> interpreter such as the JVM. That can be the first
> file. Then the rest of the files are the source.
Yeah, but the advantage of having it in the ELF file is that you don't need to execute the file to get at the source; you use trusted tools you already have on your system. For the security conscious, you can do the following:
- Download the untrusted binary
- Mount the source portion of the ELF file using your trusted mounter
- Inspect the code, and at your option:
- Ignore the binary entirely, and compile from source
- Compile from source, recalculate the checksum, and if the checksums don't match, start warning everyone you can find.
SEAs require you to trust that the archive is not malicious.
Thanks,
Cem Karan
---
Other than quoted laws, regulations or officially published policies, the views expressed herein are not intended to be used as an authoritative state of the law nor do they reflect official positions of the U.S. Army, Department of Defense or U.S. Government.
--
Bruce Perens - Partner, OSS.Capital < Caution-http://OSS.Capital > .
More information about the License-discuss
mailing list