laantungir
/
bitcoin
mirror of https://github.com/bitcoin/bitcoin.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

guix: move *-check.py scripts under contrib/guix 

These scripts are not meant for general developer usage. They are for
use on the release binaries, which have been compiled in an environment
that makes various assumptions in regards to c library, compiler
options, hardening options, patching etc.
This commit is contained in:
fanquake 2025-05-09 13:40:26 +01:00
parent 5b8752198e
commit 415650cea9
No known key found for this signature in database
GPG Key ID: 2EEB9F5CC09526C1
5 changed files with 9 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmake/module/Maintenance.cmake
View File

@ -31,13 +31,13 @@ function(add_maintenance_targets)
add_custom_target(check-symbols add_custom_target(check-symbols
COMMAND ${CMAKE_COMMAND} -E echo "Running symbol and dynamic library checks..." COMMAND ${CMAKE_COMMAND} -E echo "Running symbol and dynamic library checks..."
COMMAND ${PYTHON_COMMAND} ${PROJECT_SOURCE_DIR}/contrib/devtools/symbol-check.py ${executables} COMMAND ${PYTHON_COMMAND} ${PROJECT_SOURCE_DIR}/contrib/guix/symbol-check.py ${executables}
VERBATIM VERBATIM
) )
add_custom_target(check-security add_custom_target(check-security
COMMAND ${CMAKE_COMMAND} -E echo "Checking binary security..." COMMAND ${CMAKE_COMMAND} -E echo "Checking binary security..."
COMMAND ${PYTHON_COMMAND} ${PROJECT_SOURCE_DIR}/contrib/devtools/security-check.py ${executables} COMMAND ${PYTHON_COMMAND} ${PROJECT_SOURCE_DIR}/contrib/guix/security-check.py ${executables}
VERBATIM VERBATIM
) )
endfunction() endfunction()

29
contrib/devtools/README.md
View File

@ -159,35 +159,6 @@ For example:
BUILDDIR=$PWD/my-build-dir contrib/devtools/gen-bitcoin-conf.sh BUILDDIR=$PWD/my-build-dir contrib/devtools/gen-bitcoin-conf.sh
``` ```
security-check.py
=================
Perform basic security checks on a series of executables.
symbol-check.py
===============
A script to check that release executables only contain
certain symbols and are only linked against allowed libraries.
For Linux this means checking for allowed gcc, glibc and libstdc++ version symbols.
This makes sure they are still compatible with the minimum supported distribution versions.
For macOS and Windows we check that the executables are only linked against libraries we allow.
Example usage:
find ../path/to/executables -type f -executable | xargs python3 contrib/devtools/symbol-check.py
If no errors occur the return value will be 0 and the output will be empty.
If there are any errors the return value will be 1 and output like this will be printed:
.../64/test_bitcoin: symbol memcpy from unsupported version GLIBC_2.14
.../64/test_bitcoin: symbol __fdelt_chk from unsupported version GLIBC_2.15
.../64/test_bitcoin: symbol std::out_of_range::~out_of_range() from unsupported version GLIBCXX_3.4.15
.../64/test_bitcoin: symbol _ZNSt8__detail15_List_nod from unsupported version GLIBCXX_3.4.15
circular-dependencies.py circular-dependencies.py
======================== ========================

4
contrib/devtools/security-check.py → contrib/guix/security-check.py
View File

@ -6,6 +6,10 @@
Perform basic security checks on a series of executables. Perform basic security checks on a series of executables.
Exit status will be 0 if successful, and the program will be silent. Exit status will be 0 if successful, and the program will be silent.
Otherwise the exit status will be 1 and it will log which executables failed which checks. Otherwise the exit status will be 1 and it will log which executables failed which checks.
Example usage:
find ../path/to/guix/binaries -type f -executable | xargs python3 contrib/guix/security-check.py
''' '''
import re import re
import sys import sys

2
contrib/devtools/symbol-check.py → contrib/guix/symbol-check.py
View File

@ -8,7 +8,7 @@ and are only linked against allowed libraries.
Example usage: Example usage:
find ../path/to/binaries -type f -executable | xargs python3 contrib/devtools/symbol-check.py find ../path/to/guix/binaries -type f -executable | xargs python3 contrib/guix/symbol-check.py
''' '''
import sys import sys

4
depends/packages.md
View File

@ -6,7 +6,7 @@ The package "mylib" will be used here as an example
General tips: General tips:
- mylib_foo is written as $(package)_foo in order to make recipes more similar. - mylib_foo is written as $(package)_foo in order to make recipes more similar.
- Secondary dependency packages relative to the bitcoin binaries/libraries (i.e. - Secondary dependency packages relative to the bitcoin binaries/libraries (i.e.
those not in `ALLOWED_LIBRARIES` in `contrib/devtools/symbol-check.py`) don't those not in `ALLOWED_LIBRARIES` in `contrib/guix/symbol-check.py`) don't
need to be shared and should be built statically whenever possible. See need to be shared and should be built statically whenever possible. See
[below](#secondary-dependencies) for more details. [below](#secondary-dependencies) for more details.
@ -184,7 +184,7 @@ the Autotools `--with-pic` flag, or `CMAKE_POSITION_INDEPENDENT_CODE` with CMake
## Secondary dependencies: ## Secondary dependencies:
Secondary dependency packages relative to the bitcoin binaries/libraries (i.e. Secondary dependency packages relative to the bitcoin binaries/libraries (i.e.
those not in `ALLOWED_LIBRARIES` in `contrib/devtools/symbol-check.py`) don't those not in `ALLOWED_LIBRARIES` in `contrib/guix/symbol-check.py`) don't
need to be shared and should be built statically whenever possible. This need to be shared and should be built statically whenever possible. This
improves general build reliability as illustrated by the following example: improves general build reliability as illustrated by the following example: