From 21e09000468d4fe416393918d7dcb43f51db7b5b Mon Sep 17 00:00:00 2001 From: Ximin Luo Date: Thu, 20 Apr 2017 00:19:35 +0200 Subject: [PATCH] Update filter lists and add a suspcious-source scanner --- debian/README.source | 4 ++-- debian/deps-tarball-filter.txt | 1 + debian/deps-tarball-unsuspicious.txt | 29 +++++++++++++++++++++++++++ debian/make_orig_multi.sh | 25 ++++++++++++++++++++--- debian/patches/clean-cargo-deps.patch | 2 +- 5 files changed, 55 insertions(+), 6 deletions(-) create mode 100644 debian/deps-tarball-unsuspicious.txt diff --git a/debian/README.source b/debian/README.source index 1c6a4d669..4a2b5502a 100644 --- a/debian/README.source +++ b/debian/README.source @@ -1,14 +1,14 @@ Updating the package ==================== -1. Run d/make_orig_multi.sh. +1. Run d/make_orig_multi.sh . 2. Verify the -deps component tarball to make sure it looks good. If not, edit d/make_orig_multi.sh and the surrounding files (such as patches and exclude files) and repeat the above until it looks good. 3. $ git fetch upstream You might have to first run: $ git remote add upstream https://github.com/rust-lang/cargo -4. $ gbp import-orig ../cargo_0.16.0.orig.tar.gz +4. $ gbp import-orig ../cargo_.orig.tar.gz If you get errors, check the extra default flags in d/gbp.conf General info diff --git a/debian/deps-tarball-filter.txt b/debian/deps-tarball-filter.txt index fb48e7421..866af0016 100644 --- a/debian/deps-tarball-filter.txt +++ b/debian/deps-tarball-filter.txt @@ -6,6 +6,7 @@ libgit2-sys-*/libgit2/examples/ libgit2-sys-*/libgit2/tests/ libssh2-sys-*/libssh2*/ libz-sys-*/src/zlib-*/ +strsim-*/docs/ # To clean deps before making a new tarball, run # grep -v '^#' debian/deps-tarball-filter.txt | xargs -I% sh -c 'rm -rf %' diff --git a/debian/deps-tarball-unsuspicious.txt b/debian/deps-tarball-unsuspicious.txt new file mode 100644 index 000000000..9f5fb7491 --- /dev/null +++ b/debian/deps-tarball-unsuspicious.txt @@ -0,0 +1,29 @@ +# This is a list of files and dirs that are omitted from our custom +# "suspicious files" scanner + +# test data +flate2-*/tests/ +tar-*/tests/archives/ +term-*/tests/data/ +toml-*/tests/ + +# misc support data +hamcrest-*/LICENSE-* +*/.travis.yml +# "build status" link-images etc take up a lot of line-length +*/README.md + +# individual files, manually audited: +idna-*/tests/IdnaTest.txt +idna-*/src/uts46_mapping_table.rs +regex-*/src/testdata/basic.dat +regex-*/tests/fowler.rs +libgit2-sys-*/libgit2/src/openssl_stream.c +term-*/scripts/id_rsa.enc +url-*/github.png +num-*/doc/favicon.ico +num-*/doc/rust-logo-128x128-blk-v2.png +num-*/.travis/deploy.enc +miniz-sys-*/miniz.c +docopt-*/src/test/testcases.rs +winapi-*/src/winnt.rs diff --git a/debian/make_orig_multi.sh b/debian/make_orig_multi.sh index f8a3d5bbe..b15a6b206 100755 --- a/debian/make_orig_multi.sh +++ b/debian/make_orig_multi.sh @@ -25,6 +25,7 @@ fi; BOOTSTRAP_PY=$(find "${PWD}" -name bootstrap.py -type f) DEPS_FILTER=$(find "${PWD}" -name deps-tarball-filter.txt -type f) +DEPS_SUS_WHITELIST=$(find "${PWD}" -name deps-tarball-unsuspicious.txt -type f) # Download cargo tarball uscan --rename ${USCAN_ARGS} --force-download --destdir "${TMPDIR}/" @@ -49,13 +50,31 @@ cargo vendor --explicit-version --verbose deps # Unpack artifacts and clean embedded libs ${WORKDIR}/debian/cargo-vendor-unpack.py -grep -v '^#' ${DEPS_FILTER} | xargs -I% sh -c 'rm -rf deps/%' && -tar -czf "${TMPDIR}/cargo_${CARGO_VER}.orig-deps.tar.gz" deps +grep -v '^#' ${DEPS_FILTER} | xargs -I% sh -c 'rm -rf deps/%' + +# Report any suspicious files +cp -R deps deps-scan +grep -v '^#' ${DEPS_SUS_WHITELIST} | xargs -I% sh -c 'rm -rf deps-scan/%' +echo "Checking for suspicious files..." +# The following shell snippet is a bit more strict than suspicious-source(1) +find deps-scan -type f -and -not -name '.cargo-checksum.json' -exec file '{}' \; | \ + sed -e 's/\btext\b\(.*\), with very long lines/verylongtext\1/g' | \ + grep -v '\b\(text\|empty\)\b' || true +echo "The above files (if any) seem suspicious, please audit them." +echo "If good, add them to ${DEPS_SUS_WHITELIST}." +echo "If bad, add them to ${DEPS_FILTER}." +rm -rf deps-scan + +# Pack it up, reproducibly +GZIP=-9n tar --sort=name \ + --mtime="./Cargo.lock" \ + --owner=root --group=root \ + -czf "${TMPDIR}/cargo_${CARGO_VER}.orig-deps.tar.gz" deps # All is good, we are done! echo "Your files are available at:" echo "${TMPDIR}/cargo_${CARGO_VER}.orig.tar.gz \\" echo "${TMPDIR}/cargo_${CARGO_VER}.orig-deps.tar.gz" echo "" -echo "Unpacked cargo sources are availabe under:" +echo "Unpacked cargo sources are available under:" echo "${TMPDIR}/cargo/" diff --git a/debian/patches/clean-cargo-deps.patch b/debian/patches/clean-cargo-deps.patch index 57dd40a2d..a3bea54be 100644 --- a/debian/patches/clean-cargo-deps.patch +++ b/debian/patches/clean-cargo-deps.patch @@ -10,7 +10,7 @@ Forwarded: not-needed --- a/Cargo.toml +++ b/Cargo.toml @@ -47,8 +47,8 @@ - url = "1.1" + -[target.'cfg(windows)'.dependencies] -advapi32-sys = "0.2" -kernel32-sys = "0.2" -- 2.30.2