Le vendredi 22 mai 2020 à 21:31 -0400, Steve Grubb a écrit : > > Over a couple emails I kind of realized that originally this was > framing the > question wrong. My question now is how can we determine what is meant > to be > executable by system applications vs examples and other cruft? There is no easy way right now because this stuff gets classified by humans, the distinction you want did no exist in the past in the FHS, so the human classifiers did not think about it. You could go to the FHS and request separating executable and non executable data in separate roots, and 5 years after you did it, you’d began to see the result of the standard change in production systems. I think that would also involve driving a Fedora Change to focus Fedora packagers on changing things, and to help fix all the software that assumes both roots are the same today. And that would require first for you to have an ironclad definition of what executable means. For example, Go source code is mostly not executable (people do not expect it to run it in a Go interpreter). Except, that when this code is present, it will be picked up by the next Go static build that needs it. Making it behave like a shared library (except a library that will be re-built by each of its users). So, from a security POW, I suspect it needs to be treated executable, except most people would not think of it this way. Google will certainly scan it in its own containers the same way it does for elf files. I suspect you could spend a year going through such cases to determine if they need treating as executable or not. And, in the end at least 20% of the target population will decide you are making their life miserable for no good reason, and continue to blatantly ignore your standard, and mix things. Like systemd and rpm did for multiarch. So if you care about security you’ll still need to audit the non-executable root. Except the audit will be less painful, because a lot of stuff would have been sorted by others. Regards, -- Nicolas Mailhot _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
