Closed
Bug 674250
Opened 13 years ago
Closed 13 years ago
add binscope to Windows build images
Categories
(Release Engineering :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: imelven, Assigned: bhearsum)
References
Details
(Whiteboard: [sg:want P2])
Attachments
(1 file)
(deleted),
patch
|
rail
:
review+
bhearsum
:
checked-in+
|
Details | Diff | Splinter Review |
for bug 642243 please install Microsoft's Binscope tool (can be downloaded at http://www.microsoft.com/download/en/details.aspx?id=11910 , more info at http://blogs.msdn.com/b/architecture/archive/2009/09/15/security-verification-binscope-binary-analyzer.aspx) on the Windows build machines. there's a python script in bug 642243 that aims to make it easy to run binscope as part of the build, feedback is appreciated :) Also please note that it seems like the .NET Framework 3.5 is a prereq on Windows 2003 server, but not on a fully patched Windows 2008 server.
Reporter | ||
Updated•13 years ago
|
Whiteboard: [sg:want P2]
Updated•13 years ago
|
Component: Build Config → Release Engineering
Product: Core → mozilla.org
QA Contact: build-config → release
Version: Trunk → other
Is binscope freely redistributable? It might make sense to stick it in mozilla-build if it is ...
Reporter | ||
Comment 2•13 years ago
|
||
(In reply to comment #1)
> Is binscope freely redistributable? It might make sense to stick it in
> mozilla-build if it is ...
i'll look into this.
Reporter | ||
Comment 3•13 years ago
|
||
the EULA installed with binscope says :
1. You may not
• work around any technical limitations in the software;
• reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite this limitation;
• make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;
• publish the software for others to copy;
• rent, lease or lend the software;
• transfer the software or this agreement to any third party; or
• use the software for commercial software hosting services.
IANAL, but that seems to prohibit us redistributing binscope as it stands.
Assignee | ||
Comment 4•13 years ago
|
||
Fwiw, getting it into MozillaBuild doesn't help fast deployment (we'd probably deploy it individually anyways). I'll try to have a look this week and see how easy/difficult this is.
Assignee: nobody → bhearsum
Assignee | ||
Comment 5•13 years ago
|
||
Looks like this works out-of-box on our build machines. It supports passive installation, too: "msiexec /i BinScopeSetup.exe /passive". After installation I ran it and it popped a UI, so AFAICT it will work. Is there anything else I should try to confirm?
Also, this is only required on build machines, correct? (Eg, do you need it available during unit test or talos runs?)
Reporter | ||
Comment 6•13 years ago
|
||
(In reply to comment #5)
> Looks like this works out-of-box on our build machines. It supports passive
> installation, too: "msiexec /i BinScopeSetup.exe /passive". After
> installation I ran it and it popped a UI, so AFAICT it will work. Is there
> anything else I should try to confirm?
>
> Also, this is only required on build machines, correct? (Eg, do you need it
> available during unit test or talos runs?)
if you felt so inclined you could try running the python script in bug 642243 and seeing if it works correctly on a build machine. i would also love your feedback on the right paths for logs etc. and if there's anything else in the script in terms of input or output you would like, or of course feel free to tweak it to be suitable, if you prefer.
it's only required on the build machines (if my understanding of our infrastructure is correct), if we can turn the build red (fail it) when the windows binaries don't pass the binscope checks, that's our goal.
Yes, this is for builders only.
Assignee | ||
Comment 8•13 years ago
|
||
(In reply to comment #6)
> (In reply to comment #5)
> > Looks like this works out-of-box on our build machines. It supports passive
> > installation, too: "msiexec /i BinScopeSetup.exe /passive". After
> > installation I ran it and it popped a UI, so AFAICT it will work. Is there
> > anything else I should try to confirm?
> >
> > Also, this is only required on build machines, correct? (Eg, do you need it
> > available during unit test or talos runs?)
>
> if you felt so inclined you could try running the python script in bug
> 642243 and seeing if it works correctly on a build machine. i would also
> love your feedback on the right paths for logs etc. and if there's anything
> else in the script in terms of input or output you would like, or of course
> feel free to tweak it to be suitable, if you prefer.
I didn't actually have a Firefox build on the machine I installed it on, but I did have a XULRunner one. Here's what I tried:
E:\builds\moz2_slave\m-cen-w32-xr\build\obj-firefox\dist>python bs.py bin/xulrunner.exe bin/plugin-container.exe crashreporter-symbols
Microsoft SDL BinScope binary analysis tool v1.0.4027.29711
TEST-UNEXPECTED-FAIL |autobinscope.py| firefox.exe is missing a needed Windows protection, such as /G
S or ASLR
Microsoft SDL BinScope binary analysis tool v1.0.4027.29711
TEST-UNEXPECTED-FAIL |autobinscope.py| plugin-container.exe is missing a needed Windows protection, s
uch as /GS or ASLR
Also, I left comments in the other bug about the script.
Assignee | ||
Comment 9•13 years ago
|
||
Attachment #549215 -
Flags: review?(rail)
Updated•13 years ago
|
Attachment #549215 -
Flags: review?(rail) → review+
Reporter | ||
Comment 10•13 years ago
|
||
looks good to me.
Assignee | ||
Updated•13 years ago
|
Attachment #549215 -
Flags: checked-in+
Assignee | ||
Comment 11•13 years ago
|
||
I set this to roll out on all of the Windows build machines (64-bit Windows excluded, because it's not a supported platform yet....)
It'll take a day or two for all of the slaves to pick it up. After than, you're good to start pushing to try or landing changes that require it!
Assignee | ||
Comment 12•13 years ago
|
||
This is now installed on all accessible build slaves (a few are done for maintenance, should pick it up when they come back online).
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Product: mozilla.org → Release Engineering
You need to log in
before you can comment on or make changes to this bug.
Description
•