From 415650cea94f5050d7c368fdf9fd9878809957e1 Mon Sep 17 00:00:00 2001 From: fanquake Date: Fri, 9 May 2025 13:40:26 +0100 Subject: [PATCH] guix: move *-check.py scripts under contrib/guix These scripts are not meant for general developer usage. They are for use on the release binaries, which have been compiled in an environment that makes various assumptions in regards to c library, compiler options, hardening options, patching etc. --- cmake/module/Maintenance.cmake | 4 +-- contrib/devtools/README.md | 29 -------------------- contrib/{devtools => guix}/security-check.py | 4 +++ contrib/{devtools => guix}/symbol-check.py | 2 +- depends/packages.md | 4 +-- 5 files changed, 9 insertions(+), 34 deletions(-) rename contrib/{devtools => guix}/security-check.py (98%) rename contrib/{devtools => guix}/symbol-check.py (99%) diff --git a/cmake/module/Maintenance.cmake b/cmake/module/Maintenance.cmake index 4103c9b6383..a704dff175a 100644 --- a/cmake/module/Maintenance.cmake +++ b/cmake/module/Maintenance.cmake @@ -31,13 +31,13 @@ function(add_maintenance_targets) add_custom_target(check-symbols COMMAND ${CMAKE_COMMAND} -E echo "Running symbol and dynamic library checks..." - COMMAND ${PYTHON_COMMAND} ${PROJECT_SOURCE_DIR}/contrib/devtools/symbol-check.py ${executables} + COMMAND ${PYTHON_COMMAND} ${PROJECT_SOURCE_DIR}/contrib/guix/symbol-check.py ${executables} VERBATIM ) add_custom_target(check-security COMMAND ${CMAKE_COMMAND} -E echo "Checking binary security..." - COMMAND ${PYTHON_COMMAND} ${PROJECT_SOURCE_DIR}/contrib/devtools/security-check.py ${executables} + COMMAND ${PYTHON_COMMAND} ${PROJECT_SOURCE_DIR}/contrib/guix/security-check.py ${executables} VERBATIM ) endfunction() diff --git a/contrib/devtools/README.md b/contrib/devtools/README.md index 707a91c866d..366cd4a07df 100644 --- a/contrib/devtools/README.md +++ b/contrib/devtools/README.md @@ -159,35 +159,6 @@ For example: BUILDDIR=$PWD/my-build-dir contrib/devtools/gen-bitcoin-conf.sh ``` -security-check.py -================= - -Perform basic security checks on a series of executables. - -symbol-check.py -=============== - -A script to check that release executables only contain -certain symbols and are only linked against allowed libraries. - -For Linux this means checking for allowed gcc, glibc and libstdc++ version symbols. -This makes sure they are still compatible with the minimum supported distribution versions. - -For macOS and Windows we check that the executables are only linked against libraries we allow. - -Example usage: - - find ../path/to/executables -type f -executable | xargs python3 contrib/devtools/symbol-check.py - -If no errors occur the return value will be 0 and the output will be empty. - -If there are any errors the return value will be 1 and output like this will be printed: - - .../64/test_bitcoin: symbol memcpy from unsupported version GLIBC_2.14 - .../64/test_bitcoin: symbol __fdelt_chk from unsupported version GLIBC_2.15 - .../64/test_bitcoin: symbol std::out_of_range::~out_of_range() from unsupported version GLIBCXX_3.4.15 - .../64/test_bitcoin: symbol _ZNSt8__detail15_List_nod from unsupported version GLIBCXX_3.4.15 - circular-dependencies.py ======================== diff --git a/contrib/devtools/security-check.py b/contrib/guix/security-check.py similarity index 98% rename from contrib/devtools/security-check.py rename to contrib/guix/security-check.py index cc1eed9d269..b29b888101e 100755 --- a/contrib/devtools/security-check.py +++ b/contrib/guix/security-check.py @@ -6,6 +6,10 @@ Perform basic security checks on a series of executables. Exit status will be 0 if successful, and the program will be silent. Otherwise the exit status will be 1 and it will log which executables failed which checks. + +Example usage: + + find ../path/to/guix/binaries -type f -executable | xargs python3 contrib/guix/security-check.py ''' import re import sys diff --git a/contrib/devtools/symbol-check.py b/contrib/guix/symbol-check.py similarity index 99% rename from contrib/devtools/symbol-check.py rename to contrib/guix/symbol-check.py index 17ea6d60e54..9bb5322e170 100755 --- a/contrib/devtools/symbol-check.py +++ b/contrib/guix/symbol-check.py @@ -8,7 +8,7 @@ and are only linked against allowed libraries. Example usage: - find ../path/to/binaries -type f -executable | xargs python3 contrib/devtools/symbol-check.py + find ../path/to/guix/binaries -type f -executable | xargs python3 contrib/guix/symbol-check.py ''' import sys diff --git a/depends/packages.md b/depends/packages.md index f304f7e028a..105fd90bab7 100644 --- a/depends/packages.md +++ b/depends/packages.md @@ -6,7 +6,7 @@ The package "mylib" will be used here as an example General tips: - mylib_foo is written as $(package)_foo in order to make recipes more similar. - Secondary dependency packages relative to the bitcoin binaries/libraries (i.e. - those not in `ALLOWED_LIBRARIES` in `contrib/devtools/symbol-check.py`) don't + those not in `ALLOWED_LIBRARIES` in `contrib/guix/symbol-check.py`) don't need to be shared and should be built statically whenever possible. See [below](#secondary-dependencies) for more details. @@ -184,7 +184,7 @@ the Autotools `--with-pic` flag, or `CMAKE_POSITION_INDEPENDENT_CODE` with CMake ## Secondary dependencies: Secondary dependency packages relative to the bitcoin binaries/libraries (i.e. -those not in `ALLOWED_LIBRARIES` in `contrib/devtools/symbol-check.py`) don't +those not in `ALLOWED_LIBRARIES` in `contrib/guix/symbol-check.py`) don't need to be shared and should be built statically whenever possible. This improves general build reliability as illustrated by the following example: