+1
Am 01.04.24 um 06:31 schrieb Scott Schmit:
One approach:
1. do the build
2. do the install
3. generate the RPMs
4. quarantine the RPMs so they're safe from modification
- I believe this could be done via SELinux policy
- there are probably other mechanisms
5. run the tests
- for SELinux, this might be via an `rpmbuild-test` binary that
doesn't have rights to touch the output RPMs
6a. if the tests fail, destroy the RPMs and fail out, reproducing the
result today
6b. if the tests pass, move/copy the RPMs to the result location and
exit cleanly, reproducing the result today
Boils down to separate source and test code/phase
source code:
(hopefully not obfuscated to the point where no review is possible)
no binaries allowed, best possible review
needed to build
build phase: source to binary
test code:
binaries allowed
only needed to test
test phase: binary unmodified
Allowing a test file to modify the binary makes it a source file. ?
Christoph