Skip to content

usrmerge: lint for lib64 usage #1927

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

usrmerge: lint for lib64 usage #1927

wants to merge 1 commit into from

Conversation

xnox
Copy link
Member

@xnox xnox commented Apr 17, 2025

lib64 has always been a symlink to lib in wolfi. However file
installation has been soft allowed into that location. As it sort of
worked if wolfi-baselayout is unpacked first. But it still leads to
apk audit failing. As we are getting more strict with file locations
in the .apks, add /lib64 and /usr/lib64 linting.

At this time one should use /lib and /usr/lib locations instead.

@xnox
usrmerge: lint for lib64 usage
c419f77 
lib64 has always been a symlink to lib in wolfi. However file
installation has been soft allowed into that location. As it sort of
worked if wolfi-baselayout is unpacked first. But it still leads to
`apk audit` failing. As we are getting more strict with file locations
in the .apks, add /lib64 and /usr/lib64 linting.

At this time one should use /lib and /usr/lib locations instead.
@xnox
Copy link
Member Author

xnox commented Apr 17, 2025

glibc is now merged; and should rebuild as green.

but also need to run analysis on /lib64 usage.

@xnox
Copy link
Member Author

xnox commented Apr 17, 2025

gitsign & guac => it's just CVE flag up, the build is successful.

a-crate
a-crate reviewed Apr 17, 2025
View reviewed changes
pkg/linter/linter.go
@@ -811,6 +812,12 @@ func usrmergeLinter(ctx context.Context, _ *config.Configuration, _ string, fsys
if strings.HasPrefix(path, "usr/sbin") {
return fmt.Errorf("package writes to /usr/sbin in violation of usrmerge: %s", path)
}
if strings.HasPrefix(path, "lib64") {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be refactored to for _, symlink := range symlinked; [...] now

smoser
smoser previously approved these changes Apr 17, 2025
View reviewed changes
Copy link
Contributor

@smoser smoser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As of "right now" usr/lib64 has offenders in

repo origin binpkg
wolfi apache-orc apache-orc
wolfi apache-orc apache-orc-dev
wolfi fontforge fontforge
wolfi libffi libffi
wolfi libffi libffi-dev
wolfi libffi libffi-pic-dev
wolfi mimalloc2 mimalloc2
wolfi mimalloc2 mimalloc2-dev
wolfi mold mold
extras msodbcsql18 msodbcsql18
wolfi sysstat sysstat
wolfi xfsprogs xfsprogs-dev
wolfi xfsprogs xfsprogs-libs

@smoser smoser dismissed their stale review April 17, 2025 18:11

meant to not approve and only comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@a-crate a-crate a-crate left review comments

@smoser smoser smoser left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@xnox @smoser @a-crate