lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2025040816-pork-lisp-7b66@gregkh>
Date: Tue, 8 Apr 2025 20:10:23 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: "Bird, Tim" <Tim.Bird@...y.com>
Cc: Gon Solo <gonsolo@...il.com>,
	Duje Mihanović <duje.mihanovic@...le.hr>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ricardo Ribalda <ribalda@...omium.org>,
	"linux-spdx@...r.kernel.org" <linux-spdx@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: spdxcheck: python git module considered harmful (was RE: [PATCH]
 scripts/spdxcheck: Limit the scope of git.Repo)

On Tue, Apr 08, 2025 at 05:34:20PM +0000, Bird, Tim wrote:
> > -----Original Message-----
> > From: Gon Solo <gonsolo@...il.com>
> > It's a known problem:
> > https://github.com/gitpython-developers/GitPython/issues/2003
> > https://github.com/python/cpython/issues/118761#issuecomment-2661504264
> > 
> 
> For what it's worth, I've always been a bit skeptical of the use of the python git module
> in spdxcheck.py.  Its use makes it impossible to use spdxcheck on a kernel source tree
> from a tarball (ie, on source not inside a git repo).  Also, from what I can see in spdxcheck.py,
> the way it's used is just to get the top directories for either the LICENSES dir,
> the top dir of the kernel source tree, or the directory to scan passed on the
> spdxcheck.py command line, and then to use the repo.traverse() function on said directory.
> 
> This ends up excluding any files in the source directory tree that are not checked
> into git yet, silently skipping them (which I've run into before when using the tool).
> 
> I think the code could be relatively easily refactored to eliminate the use of the git
> module, to overcome these issues.  I'm not sure if removing the module would
> eliminate the yield operation (used inside repo.traverse()), which seems to be causing the
> problem found here.  IMHO, in my experience when using python it is helpful
> to use as few non-core modules as possible, because they tend to break like this
> occasionally.
> 
> Let me know if anyone objects to me working up a refactoring of spdxcheck.py
> eliminating the use of the python 'git' module, and submitting it for review.

No objection from me!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ