<oriansj>and since ${ARCH}/bin works best, that is what will be done. I am also going to be adding a ${ARCH}/artifact to hold every build temp and hold file, to enable one to perform a manual step audit after the fact <oriansj>and it'll solve where to put the mescc-tools-extra build artifacts problem when doing multi-architecture parallel builds <stikonas>hmm, forgot to wire in after.kaem hook for risc-v... <stikonas>well, we can do that for the next release <stikonas>fossy: do you want to have exec in kaem? <stikonas>might reduce the number of parent processes that are waiting <oriansj>yeah, it is gonna be a full rewrite of the kaem scripts for stage0-posix but it'll be much cleaner <oriansj>So I'll be doing each arch as a separate commit. It is *BIG* <fossy>stikonas[m]: i have no problems with that <oriansj>and x86 for stage0-posix has been entirely isolated <oriansj>and I'll isolate the rest over the next couple days <oriansj>advantage of stupid tools. Less places for attacks <oriansj>xentrac: the stage0-posix bootstrap builds are now being isolated into their architecture specific directories to enable all of the architectures to be build in parallel to speed up cross-platform testing. <oriansj>it is a big change so I am doing each architecture one at a time <oriansj>and now all of the temp and hold files created during the bootstrap are now preserved to enable an audit to go in and find exactly where something might have corrupted a bootstrap <oriansj>So one can archive (tar up) the artifact folder to provide a full audit trail for every single binary produced by stage0-posix <Hagfish>"It is possible to create a source distribution which leads to different files seen by the build environment than compared to a careful reviewer and other Linux distributions." <fossy>i think a very easy way to make sure this dosen't occur is to just extract a few times with a few different tar implementations and make sure they are all the same <Hagfish>i also think that there should be a --paranoid option to these tools which check that the archive doesn't contain any strange data <Hagfish>for example, there shouldn't be any data in the archive that doesn't end up as a created file (other than metadata) <Hagfish>that would be a good place to add checks that nothing dodgy is hiding in the .tar files <stikonas>well, but that tar thing just looks like a bug in implementation <stikonas>because you can review untar source code <stikonas>it is a problem if you rely on tar blobs to unpack other tarballs (including tar itself) <stikonas>mescc-tools untar actually returns 1 on that archive <stikonas>which is expected I guess since that implementation is taken from libarchive <xentrac>interesting source of nondeterminism I learned about yesterday: recent versions of GCC build everything as PIE by default, so that recent Linux kernels (or ld.so?) can employ ASLR with the segments of the executable <xentrac>of course this doesn't have to result in nondeterministic externally visible behavior of the executable, but it can ***pgreco_ is now known as pgreco
<oriansj>well untar is not defensively programmed yet. <oriansj>So if someone wants expand it with input validation, it will probably be a good idea <stikonas>fossy said he is happy with exec built-in <stikonas>hmm, M2-Planet has a crashy argument handler... <Hagfish>oof. that's something a fuzzer could find, right? <stikonas>if it doesn't fuzz command line arguments, then it won't find it <stikonas>well, the code just uses argv[i +1] without checking argc <stikonas>so a single if there to compare argc and i+1 would avoid the crash and then can exit gracefully <fossy>stikonas: would you mind also adding a check that execve never returns? Just add a line below that exits if it ever gets there after the execve <fossy>I would prefer to fail fast there in case the exec fails <stikonas>fossy: don't we already have _exit(EXIT_SUCCESS); ? <stikonas>or do you want meto fail in case of exec? <stikonas>oh, actually we don't want EXIT_SUCCESS... <fossy>I am unsure why the other one is EXIT_SUCCESS anyway <stikonas>hmm, the other probably doesn't matter that much... <fossy>oh right waitpid handles that <stikonas>although, we still want parent to detet failure <stikonas>but yes, I guess waitpid will see that execve failed <fossy>there is no parent when you exec <stikonas>I'm just trying to understand if we just want exit(failure) in both cases... <stikonas>fossy: do you know why it uses _exit rather than exit? <stikonas>hmm, the difference seems to be whether we run kill_io function <stikonas>so without forking (with exec) I guess I actually want exit and not _exit