On 4/7/21 22:32, Ben Cotton wrote:
https://fedoraproject.org/wiki/Changes/DebuginfodByDefault
== Summary ==
Fedora users / developers who need to debug/trace distro binaries can
make use of the recently activated elfutils-debuginfod servers to
automatically fetch debugging data and source code, instead of having
to use `# sudo dnf` commands.
Now readelf, annobin and hell knows what else started to talk to
REMOTE SERVERS, deep out of internals of complicated build infrastructure
running on presumably secure build machines of various IT corporations
and whatnot!
This is devastatingly insecure, just ONE remote exploit bug, and many IT
corporations can be exposed.
Do you understand how many fetches of debuginfo will be attempted by e.g.
a kernel build tooling when it runs readelf on 8000 freshly built modules
_for every kernel build_? How slow it is?
Now various tools need to forcibly unset the variable to stop this madness.
commit b927c044b8809c4dd892f75737240a20c32c2b90
Author: Panu Matilainen <pmati...@redhat.com>
Date: Thu Feb 16 12:25:24 2023 +0200
Disable debuginfod server lookups in build and dependency generator scripts
With recent elfutils (0.182 or so) various seemingly innocuous tools
such as `readelf` like to do network lookups for ELF symbol information.
There's no circumstance where we'd want that to happen during rpmbuild,
so disable these lookups during all spec build scriptlets and also
dependency generator children.
+ unsetenv("DEBUGINFOD_URLS");
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
