New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lint/contrib/doc updates #30084
base: master
Are you sure you want to change the base?
lint/contrib/doc updates #30084
Conversation
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code CoverageFor detailed information about the code coverage, see the test coverage report. ReviewsSee the guideline for information on the review process. |
There are currently no linter errors if you run the linter using the container, which installs the same versions as the CI. This is the recommended way to run the linters, as it avoids differences that may occur due to different versions of dependencies installed on your local system, and the need for changes like this.
As LIEF mostly exists here for the type stubs, I don't think there's a reason to diverge it from the version we use in Guix (0.13.2), if things are working fine. |
This patch allows the individual linters to continue to be usefully called without Docker or Rust, per the following section of
I've been running them that way for 5+ years and would prefer to be able to continue doing so. If we now no longer want to support calling them directly or individually, then I'll update the README to discourage/warn. This patch (if correct) also avoids some duplicate work by the person who updates |
If someone if updating LIEF in Guix, they need to check the changes, and update the scripts for the new version, if needed. I'm guessing your changes here will actually just break the Guix build, given it's still using 0.13.2? |
time BASE_CACHE="/base_cache" SOURCES_PATH="/sources" SDK_PATH="/SDKs" ./contrib/guix/guix-build
< snip >
make[1]: Leaving directory '/distsrc-base/distsrc-950b3d4587f0-x86_64-linux-gnu'
Traceback (most recent call last):
File "/distsrc-base/distsrc-950b3d4587f0-x86_64-linux-gnu/./contrib/devtools/security-check.py", line 230, in <module>
lief.Binary.FORMATS.ELF: {
AttributeError: type object 'lief._lief.Binary' has no attribute 'FORMATS'
F
======================================================================
FAIL: test_ELF (__main__.TestSecurityChecks)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/distsrc-base/distsrc-950b3d4587f0-x86_64-linux-gnu/./contrib/devtools/test-security-check.py", line 60, in test_ELF
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
AssertionError: Tuples differ: (1, '') != (1, 'test1: failed PIE NX RELRO Canary CONTROL_FLOW')
First differing element 1:
''
'test1: failed PIE NX RELRO Canary CONTROL_FLOW'
- (1, '')
+ (1, 'test1: failed PIE NX RELRO Canary CONTROL_FLOW')
----------------------------------------------------------------------
Ran 1 test in 0.086s
FAILED (failures=1)
make: *** [Makefile:1355: test-security-check] Error 1 |
Thanks for pointing out this interdependency. Looking at #27813 and related preceding changes, would you be concept ACK on updating the guix manifest to a recent lief (0.14 or maybe imminent 0.15), or prefer to hold off for now? |
I don't really think we need to update or change anything in our release infrastructure right now, particularly if the only reason is so that linters can be run against versions of dependencies that we don't use. If anything, I think the docs could be updated in some way to say that running the linters outside the container, or with versions that differ from the CI is generally unsupported. |
Guix builds (on x86_64) [untrusted test-only build, possibly unsafe, not for production use]
|
950b3d4
to
4a5078b
Compare
Thanks for the feedback, done. Open to further suggestions (like whether to update the other dependencies). |
4a5078b
to
ad6885a
Compare
…ipts as the code in that iteration should not proceed in the absence of a binary. This also fixes the following errors reported by recent releases of the python linter: contrib/devtools/symbol-check.py:298: error: Item "None" of "Binary | None" has no attribute "format" [union-attr] contrib/devtools/security-check.py:253: error: Item "None" of "Binary | None" has no attribute "format" [union-attr] contrib/devtools/security-check.py:254: error: Item "None" of "Binary | None" has no attribute "abstract" [union-attr] contrib/devtools/security-check.py:255: error: Item "None" of "Binary | None" has no attribute "concrete" [union-attr]
to appease codespell, and improve its grammar
ad6885a
to
114a522
Compare
@jonatack @kevkevinpal, what are your thoughts on reopening PR #30106 and dropping the test runner Seems like this PR (30084) is scoped to more than just the spelling error and fixing the error could help prevent near term lint issues for open PRs. Maybe I'm missing something and this was already addressed? edit: This is a just a warning from the linter. |
@@ -50,6 +50,10 @@ Individual tests can be run by directly calling the test script, e.g.: | |||
test/lint/lint-files.py | |||
``` | |||
|
|||
However, doing this with dependency versions that differ from the [CI |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Shouldn't this go into the section that ends with "...could be outdated" above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The sentence you mention refers to Linux distributions: Please be aware that on Linux distributions all dependencies are usually available as packages, but could be outdated.
The sentence in this patch refers to calling the files directly, which can be done with other platforms (and the issues I'm seeing are not that the packages are outdated, but that the current releases are ahead of the CI versions). So it is proposed here in the section where it's relevant. That said, if you have a suggested version that combines both mentions, I'm happy to look at it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The dependency version is picked at install time, and the previous section is about installing the dependencies, so it seems more suitable.
But just a nit, either is fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the key point of both sentences is that all dependency versions must match exactly. Installing via distro packages or via pip are just two ways. Both can fail in the same way (outdated or too-recent dependency versions), so communicating them in the same section makes sense, but again, just a nit.
@@ -250,6 +250,8 @@ def check_MACHO_branch_protection(binary) -> bool: | |||
for filename in sys.argv[1:]: | |||
try: | |||
binary = lief.parse(filename) | |||
if binary is None: | |||
continue |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of claiming that this was suggested to be changed by a linter, it would be better to have a real motivation for the change, as well as a reason why the change is correct.
Looking at this, I don't see why continuing is the right behavior change here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, this change doesn't look like an improvement.
@tdb3 Spelling warnings reported by |
No description provided.