logo

checksrc

Check directory for potential non-source files git clone https://anongit.hacktivis.me/git/checksrc.git

README.md (2743B)

    

  1. # checksrc: Check directory for potential non-source files
  3. Manpage webview: <https://hacktivis.me/git/checksrc.mdoc/>
  5. ## Source Code
  6. ### Practical angle
  8. On the practical angle, lack of Source Code means:
  9. - Code which is harder to read, and so helpful for hiding malware
  10. - Codegen which you can't redo, leading to less maintainable patches
  12. Combination of both being particularly horrible, as it means you
  13. can end up forced to rewrite a lot of code or switch to another
  14. implementation just to get rid of a bug or worse, malware.
  16. ### Legal angle
  18. GPLv3:
  19. > The "source code" for a work means the preferred form of the work
  20. > for making modifications to it.
  22. So on the legal angle you need to make sure you're actually shipping
  23. Source Code to not violate the GPLv3 and licences derived from it.
  24. As well as similar licences, MPL-2.0 and EUPL-1.2 both have
  25. similar definitions.
  27. ## Dependencies
  29. - POSIX.1-2008 make(1)
  30. - C99 Compiler
  31. - C library with `getdents()` function such as with Linux+musl*
  33. *Will change to POSIX.1-2024 once musl releases with support for posix_getdents
  35. Amount of dependencies should be low as it is designed for cases like
  36. [bootstrap-initrd](https://hacktivis.me/git/bootstrap-initrd/).
  37. Which for example means file/libmagic won't be used.
  39. ## Detections
  40. ### Minor
  41. Throws a warning but doesn't stops reading the file:
  43. - dump: block of 10 consecutive lines with lengths varying by less than 3 bytes (to detect hex dumps, base64, …)
  44. - more punctuation, symbols, and numbers than letters (within 4KB blocks)
  46. ### Major
  47. Throws an error, stops reading the file, exits unsuccessfully:
  49. - minified code: average line length of more than 100 characters (within 4KB blocks)
  50. - non-printable character (byte under 0x20 other than `\n`, `\r`, `\t`)
  51. - 3 blocks of dump (see Minor)
  52. - (planned) string indicating generated code
  54. ## Difference with deblob
  56. [deblob](https://hacktivis.me/projects/deblob) is designed for fast
  57. automated removals with very low false-positives by using file
  58. signatures in their magic header.
  60. `checksrc` meanwhile only stops reading a file when a major issue
  61. is found, to detect cases like `shar(1)` archives where the start
  62. of the file looks like regular code.
  63. So `checksrc` can take much longer depending on the payloads.
  65. ## Difference with other tools
  67. Debian suspicious-source:  Python; Only checks for files not matching
  68. a list of libmagic-detected MIME types and file extensions.
  70. <https://github.com/fosslinux/problematic-source>: Python; Only checks
  71. for known strings of code generators and some generic ones,
  72. also bases itself on libmagic-detected MIME types.
  75. ```
  76. SPDX-FileCopyrightText: 2017 Haelwenn (lanodan) Monnier <contact+checksrc@hacktivis.me>
  77. SPDX-License-Identifier: MPL-2.0
  78. ```