Opened 8 years ago

Closed 8 years ago

#4984 closed defect (fixed)

remove build detritus from tbb releases

Reported by: phobos Owned by: erinn
Priority: Medium Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

from a tor-talk email:
I located some hidden files in the extracted tbb/linux, current version,
directories, are these common files or rogue and what generates these
files?

Within the Lib directory:

size / name / sha1sum

1264 .shared-library-name-list
d43f3c1d4d213f8a911d3eb8725182d0f3dc61f0

808 .shared-library-rename-action-list
8db99e99f31310b3f8e7dd9cab341090fc30b88d

Within the Lib/libz directory:

size / name

83 .shared-library-name-list
18e05ed73a6531d3f0e097ce9d562788fe50cd86

56 .shared-library-rename-action-list
258051374c38f7d8c1a38648e3116ada648df1b4

Contents of the Lib hidden files:

Lib$ cat .shared-library-name-list
{libQtCore.so link libQtCore.so.4.6.2} {libQtCore.so.4 link
libQtCore.so.4.6.2} {libQtCore.so.4.6 link libQtCore.so.4.6.2}
{libQtCore.so.4.6.2 file {}} {libQtGui.so link libQtGui.so.4.6.2}
{libQtGui.so.4 link libQtGui.so.4.6.2} {libQtGui.so.4.6 link
libQtGui.so.4.6.2} {libQtGui.so.4.6.2 file {}} {libQtNetwork.so link
libQtNetwork.so.4.6.2} {libQtNetwork.so.4 link libQtNetwork.so.4.6.2}
{libQtNetwork.so.4.6 link libQtNetwork.so.4.6.2} {libQtNetwork.so.4.6.2
file {}} {libQtXml.so link libQtXml.so.4.6.2} {libQtXml.so.4 link
libQtXml.so.4.6.2} {libQtXml.so.4.6 link libQtXml.so.4.6.2}
{libQtXml.so.4.6.2 file {}} {libcrypto.so link libcrypto.so.1.0.0}
{libcrypto.so.1.0.0 file {}} {libevent-2.0.so.5 link
libevent-2.0.so.5.1.4} {libevent-2.0.so.5.1.4 file {}} {libevent.so link
libevent-2.0.so.5.1.4} {libevent_core-2.0.so.5 link
libevent_core-2.0.so.5.1.4} {libevent_core-2.0.so.5.1.4 file {}}
{libevent_core.so link libevent_core-2.0.so.5.1.4}
{libevent_extra-2.0.so.5 link libevent_extra-2.0.so.5.1.4}
{libevent_extra-2.0.so.5.1.4 file {}} {libevent_extra.so link
libevent_extra-2.0.so.5.1.4} {libpng14.so link libpng14.so.14.8.0}
{libpng14.so.14 link libpng14.so.14.8.0} {libpng14.so.14.8.0 file {}}
{libssl.so link libssl.so.1.0.0} {libssl.so.1.0.0 file {}}ubuntu

Lib$ cat .shared-library-rename-action-list
{rm libQtCore.so} {rm libQtCore.so.4} {mv libQtCore.so.4.6.2
libQtCore.so.4} {rm libQtCore.so.4.6} {rm libQtGui.so} {rm libQtGui.so.4}
{mv libQtGui.so.4.6.2 libQtGui.so.4} {rm libQtGui.so.4.6} {rm
libQtNetwork.so} {rm libQtNetwork.so.4} {mv libQtNetwork.so.4.6.2
libQtNetwork.so.4} {rm libQtNetwork.so.4.6} {rm libQtXml.so} {rm
libQtXml.so.4} {mv libQtXml.so.4.6.2 libQtXml.so.4} {rm libQtXml.so.4.6}
{rm libcrypto.so} {rm libevent-2.0.so.5} {mv libevent-2.0.so.5.1.4
libevent-2.0.so.5} {rm libevent.so} {rm libevent_core-2.0.so.5} {mv
libevent_core-2.0.so.5.1.4 libevent_core-2.0.so.5} {rm libevent_core.so}
{rm libevent_extra-2.0.so.5} {mv libevent_extra-2.0.so.5.1.4
libevent_extra-2.0.so.5} {rm libevent_extra.so} {rm libpng14.so} {rm
libpng14.so.14} {mv libpng14.so.14.8.0 libpng14.so.14} {rm
libssl.so}ubuntu

Contents of the Lib/libz hidden files:

Lib/libz$ cat .shared-library-name-list
{libz.so link libz.so.1.2.5} {libz.so.1 link libz.so.1.2.5} {libz.so.1.2.5
file {}}ubuntu

Lib/libz$ cat .shared-library-rename-action-list
{rm libz.so} {rm libz.so.1} {mv libz.so.1.2.5 libz.so.1}ubuntu

Do other tor user's tbb/linux extracted directories contain these, too?
What are they?

Child Tickets

Change History (5)

comment:1 Changed 8 years ago by rransom

Status: newneeds_information

See https://lists.torproject.org/pipermail/tor-talk/2012-January/022939.html.

Do you have a valid reason for removing these files from TBB for Linux?

comment:2 Changed 8 years ago by keb

(opinion)
the bundle may be the only package most people will get ahold of so it should appear trustworthy and foster the Tor Project collaborative culture. so if there are "hidden" files they should be either documented within the bundle README or removed before release.

comment:3 Changed 8 years ago by mikeperry

Component: Tor BrowserTor bundles/installation
Owner: changed from mikeperry to erinn
Status: needs_informationassigned

@keb: agree. The whole build process should be documented as well.

However, this is Erinn's dept.

comment:4 Changed 8 years ago by rransom

Status: assignedneeds_review

See bug4984 ( https://git.torproject.org/user/rransom/torbrowser.git bug4984 ) for a patch to add explanatory comments to remove-shared-lib-symlinks's debug-dump files, so there will be absolutely no excuse for asking whether two small text files might be ‘rogue’ in a directory full of multi-megabyte binaries.

Removing these files is not an option -- I found #3801 (a sign that some TBBs did not contain what their documentation claimed they did) and #3906 (a major security problem) by looking at shared library names in the distributed TBBs. It's bad enough that we have to rename the shared libraries at all.

comment:5 Changed 8 years ago by erinn

Resolution: fixed
Status: needs_reviewclosed

Thanks, rransom. I've merged your branch and it's in the release that's going out tonight. Closing.

Note: See TracTickets for help on using tickets.