You are not logged in.
- Topics: Active | Unanswered
#1 2025-06-03 10:28:37
- archdub
- Member
- From: Dublin, Ireland
- Registered: 2018-03-04
- Posts: 73
.BUILDINFO privacy/security concerns
When I build a package, its .BUILDINFO has the full path of the folder where I built the package (which has my user name on my pc) as well as the full list of packages I have installed on my pc. This would be a security risk if I were to put my package on the internet.
I poked the wiki and man pages and there seems to be no way to disable the addition of .BUILDINFO in a built package. Did I miss something? So what are my options if I want to create packages to share without revealing .BUILDINFOs? Build packages in a dedicated pc and/or use a chroot?
When I build a package I get this message:
==> WARNING: Package contains reference to $pkgdir
Is this message warning about what I wrote above (that my build folder is in .BUILDINFO) or is it about something else?
Last edited by archdub (2025-06-03 10:32:59)
Offline
#2 2025-06-03 10:49:41
- mpan
- Member
- Registered: 2012-08-01
- Posts: 1,419
- Website
Re: .BUILDINFO privacy/security concerns
If the package is built directly on your main system, do not publish it in the first place. This may cause it to include unexpected dependencies, configuration choices, or linking specific to your installation. Leading to the package failing or misbehaving on other people’s machines.
For publishing build the package in a clean chroot. That also solves your initial problem.
Last edited by mpan (2025-06-03 10:50:15)
Sometimes I seem a bit harsh — don’t get offended too easily!
Offline
#3 2025-06-03 11:29:45
- Allan
- Pacman
- From: Brisbane, AU
- Registered: 2007-06-09
- Posts: 11,538
- Website
Re: .BUILDINFO privacy/security concerns
When I build a package I get this message:
==> WARNING: Package contains reference to $pkgdir
Is this message warning about what I wrote above (that my build folder is in .BUILDINFO) or is it about something else?
That is nothing to do with .BUILDINFO. That is telling you that the binary files contain the path - this may or may not be fixable by editing the source code.
Offline
#4 2025-06-03 12:55:21
- archdub
- Member
- From: Dublin, Ireland
- Registered: 2018-03-04
- Posts: 73
Re: .BUILDINFO privacy/security concerns
If the package is built directly on your main system, do not publish it in the first place. This may cause it to include unexpected dependencies, configuration choices, or linking specific to your installation. Leading to the package failing or misbehaving on other people’s machines.
For publishing build the package in a clean chroot. That also solves your initial problem.
thanks
Offline
#5 2025-06-03 13:05:05
- archdub
- Member
- From: Dublin, Ireland
- Registered: 2018-03-04
- Posts: 73
Re: .BUILDINFO privacy/security concerns
archdub wrote:When I build a package I get this message:
==> WARNING: Package contains reference to $pkgdir
Is this message warning about what I wrote above (that my build folder is in .BUILDINFO) or is it about something else?That is nothing to do with .BUILDINFO. That is telling you that the binary files contain the path - this may or may not be fixable by editing the source code.
Thanks, Allan.
You are right. /my/build/folder/usr/lib was appearing in rpath. I removed rpath, but the same folder is still in the executable file, in section .dynstr, as reported by objdump. I doubt I can patch the elf for this as I patched to remove rpath.
I looked at making a small change to the build system but gave up. This is a nearly 40 years old code base that still supports building for Sun workstations and Amiga PCs, so not easy to tweak.
Offline