From: Mark Wielaard <mark@klomp.org>
To: "Frank Ch. Eigler" <fche@redhat.com>
Cc: elfutils-devel@sourceware.org, amerey@redhat.com
Subject: Re: patch 2/2 debuginfod server etc.
Date: Tue, 19 Nov 2019 20:11:00 -0000 [thread overview]
Message-ID: <20191119201128.GA3494@wildebeest.org> (raw)
In-Reply-To: <20191119161348.GB4911@redhat.com>
Hi Frank,
On Tue, Nov 19, 2019 at 11:13:48AM -0500, Frank Ch. Eigler wrote:
> > > > This does keep me slightly worried. Even "trustworthy binaries" could
> > > > be produced by buggy compilers.
> > >
> > > Those would be untrustworthy binaries.
> > But then every binary could be untrustworthy :)
>
> If we have legitimate concerns about the correctness of toolchains
> that the build the OS with, then we have much bigger problems than
> leaking /usr/include header files. Would you like me to scan some
> distro binaries for questionable source paths to ease your mind?
The problem isn't me believing toolchains can generate buggy debug
data. The problem is that debug data generation is a complex process
that involves a lot of moving part, some of which a user might not
immediately realize. What I want is simply make it easy for the user
to say where they expect the sources are. So there is no surprises.
> > The /usr/include/* thing is precisely why I think it is wrong to
> > provide those files. Those just happen to be the versions of the
> > include file installed on the machine the server is running on. They
> > might be completely different. Some debug files might have references
> > to (generated) files in /tmp. You wouldn't want to provide those, even
> > if they existed on the file system.
>
> The -F mode is suitable for sharing build trees. By definition, the
> content is going to be up to the runtime whims of the system, because
> even non-/usr/include files may change between one build and the next.
> This is okay, it is just like running gdb on an older binary when the
> source trees have changed. (We even propagate mtimes to the client,
> so gdb can notice it the same way as if it were local.)
-F mode does indeed seem suitable for sharing local build trees. If
we add a big warning about it possibly sharing all local files. It
doesn't seem suitable for sharing things like /usr/lib/debug and
/usr/debug/src directories. When a user does that I don't expect to
share anything other than the files under those directories.
> > Yes, there might be source files outside the sources tree you provided,
> > but that doesn't mean you want to just hand them out.
> >
> > In particular I believe that if we find source files under
> > /usr/src/debug then we should only provide those source files, not any
> > others on the file system.
>
> (Note that we don't find/index source files for -F build trees at all.
> We simply check outbound filesystem references from ELF/DWARF files
> that we found/indexed.) People who wish to share their build trees
> for debugging on a nearby machine should not be forced to install
> their code to privileged directories like /usr/src/debug.
I do agree with that. You should be able to share your build tree and
even allow sharing sources outside the build tree. If you choose to.
The issue I am concerned about is the other way around. If you don't
choose to share your build tree and any other file on your system that
might be referenced from it.
> > > Would you be satisfied if the -F / -R flags were restored, so that -F
> > > would be required in order to start file-scanning threads (and similar
> > > for -R)? Then all this does not arise, because people who don't trust
> > > their compilers wouldn't run debuginfod in -F mode.
> >
> > That would be helpful, but then -F should not be used by default. And I
> > don't think we should recommend people use it.
>
> The compiled-in default for the binary is off. The systemd service
> default, it happens to be on, but it's configured to serve only
> privileged directories that people with bad compilers cannot sneak
> binaries into. People running personal servers can/should use -F as
> they see fit. In the context of a normal workgroup - it's fine.
So -F seems fine for the later, just not for the former.
> > Is that deliberate? What would it take to let it use the system certs
> > for authentication?
>
> System certs do not serve to authenticate clients. Client
> certificates are per-user things that come with their own management
> headaches. Will think about authentication matters in the future.
I thought ca-certificates.crt were normally used to authenticate
remote servers.
Cheers,
Mark
next prev parent reply other threads:[~2019-11-19 20:11 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-28 19:04 patch 0/2 debuginfod submission Frank Ch. Eigler
2019-10-28 19:06 ` patch 1/2 debuginfod client Frank Ch. Eigler
2019-10-28 19:09 ` patch 2/2 debuginfod server etc Frank Ch. Eigler
2019-11-04 21:48 ` patch 3/3 debuginfod client interruptability Frank Ch. Eigler
2019-11-07 9:07 ` patch 4 debuginfod: symlink following mode Frank Ch. Eigler
2019-11-07 9:08 ` patch 5 debuginfod: prometheus metrics Frank Ch. Eigler
2019-11-15 17:26 ` Mark Wielaard
2019-11-15 17:58 ` Frank Ch. Eigler
2019-11-18 16:20 ` Mark Wielaard
2019-11-18 16:48 ` Frank Ch. Eigler
2019-11-19 16:13 ` Mark Wielaard
2019-11-15 16:49 ` patch 4 debuginfod: symlink following mode Mark Wielaard
2019-11-15 18:31 ` Frank Ch. Eigler
2019-11-18 16:27 ` Mark Wielaard
2019-11-15 16:16 ` patch 3/3 debuginfod client interruptability Mark Wielaard
2019-11-15 17:03 ` Aaron Merey
2019-11-15 17:35 ` Mark Wielaard
2019-11-15 18:14 ` Pedro Alves
2019-11-17 23:44 ` Mark Wielaard
2019-11-18 2:50 ` Frank Ch. Eigler
2019-11-18 9:24 ` Pedro Alves
2019-11-19 12:58 ` Mark Wielaard
2019-11-13 17:22 ` patch 2/2 debuginfod server etc Mark Wielaard
2019-11-14 11:54 ` Frank Ch. Eigler
2019-11-16 1:31 ` Mark Wielaard
2019-11-13 23:19 ` Mark Wielaard
2019-11-14 12:30 ` Frank Ch. Eigler
2019-11-18 14:17 ` Mark Wielaard
2019-11-18 18:41 ` Frank Ch. Eigler
2019-11-19 15:41 ` Mark Wielaard
2019-11-19 16:13 ` Frank Ch. Eigler
2019-11-19 20:11 ` Mark Wielaard [this message]
2019-11-19 21:15 ` Frank Ch. Eigler
2019-11-20 11:53 ` Mark Wielaard
2019-11-20 12:29 ` Frank Ch. Eigler
2019-11-21 14:16 ` Mark Wielaard
2019-11-21 15:40 ` Mark Wielaard
2019-11-21 16:01 ` Frank Ch. Eigler
2019-11-21 15:58 ` Frank Ch. Eigler
2019-11-21 16:37 ` Mark Wielaard
2019-11-21 17:18 ` Frank Ch. Eigler
2019-11-21 20:42 ` Mark Wielaard
2019-11-22 12:08 ` Mark Wielaard
2019-11-14 20:45 ` Mark Wielaard
2019-11-15 11:03 ` Mark Wielaard
2019-11-15 21:00 ` Frank Ch. Eigler
2019-11-18 15:01 ` Mark Wielaard
2019-11-15 14:40 ` Mark Wielaard
2019-11-15 19:54 ` Frank Ch. Eigler
2019-11-18 15:31 ` Mark Wielaard
2019-11-18 15:49 ` Frank Ch. Eigler
2019-11-12 11:12 ` patch 1/2 debuginfod client Mark Wielaard
2019-11-12 15:14 ` Frank Ch. Eigler
2019-11-12 21:59 ` Mark Wielaard
2019-11-14 0:33 ` Frank Ch. Eigler
2019-11-15 21:33 ` Mark Wielaard
2019-11-12 21:25 ` Mark Wielaard
2019-11-13 23:25 ` Frank Ch. Eigler
2019-11-16 0:46 ` Mark Wielaard
2019-11-16 18:53 ` Frank Ch. Eigler
2019-11-18 17:17 ` Mark Wielaard
2019-11-18 20:33 ` Frank Ch. Eigler
2019-11-19 15:57 ` Mark Wielaard
2019-11-19 16:20 ` Frank Ch. Eigler
2019-11-19 20:16 ` Mark Wielaard
2019-11-19 21:22 ` Frank Ch. Eigler
2019-11-20 12:50 ` Mark Wielaard
2019-11-20 13:30 ` Frank Ch. Eigler
2019-11-21 14:02 ` Mark Wielaard
2019-11-13 13:57 ` Mark Wielaard
2019-11-14 11:24 ` Frank Ch. Eigler
2019-11-16 0:52 ` Mark Wielaard
2019-11-16 2:28 ` Frank Ch. Eigler
2019-10-30 11:04 ` patch 0/2 debuginfod submission Mark Wielaard
2019-10-30 13:40 ` Frank Ch. Eigler
2019-10-30 14:12 ` Mark Wielaard
2019-10-30 18:11 ` Frank Ch. Eigler
2019-10-31 11:18 ` Mark Wielaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191119201128.GA3494@wildebeest.org \
--to=mark@klomp.org \
--cc=amerey@redhat.com \
--cc=elfutils-devel@sourceware.org \
--cc=fche@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).