fix(openfec): disable -debuginfo to work around malware scan's false positive#17083
Merged
Merged
Conversation
reubeno
reviewed
May 8, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Suppresses generation of openfec debuginfo RPMs to avoid ESRP malware-scan false positives triggered by the standard rpmbuild debuginfo pipeline, while keeping the runtime/devel/utils subpackages unchanged.
Changes:
- Added a component overlay for
openfecthat injects%global debug_package %{nil}before theName:tag to disable auto-generated debuginfo subpackages. - Refreshed the rendered
openfec.specoutput (including a Release bump consistent with a packaging change). - Updated component metadata to reflect the customization (moved from inline
components.tomlentry to a dedicated.comp.toml) and refreshed the lock fingerprint.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
base/comps/openfec/openfec.comp.toml |
Introduces the overlay that disables *-debuginfo output for openfec. |
specs/o/openfec/openfec.spec |
Rendered spec updated to include %global debug_package %{nil} and bump Release. |
base/comps/components.toml |
Removes openfec from the inline “unmodified components” list now that it has custom overlays. |
locks/openfec.lock |
Updates the input fingerprint to match the new component definition. |
PawelWMS
changed the title
PawelWMS
force-pushed
the
pawelwi/openfec-disable-debuginfo
branch
from
2ab10a6 to
2d1ef53
Compare
PawelWMS
changed the title
christopherco
requested changes
May 9, 2026
Collaborator
christopherco
left a comment
christopherco
left a comment
There was a problem hiding this comment.
Generally changes look fine to me. Please squash commits together into 1 commit
PawelWMS
force-pushed
the
pawelwi/openfec-disable-debuginfo
branch
2 times, most recently
from
0ef7e2b to
8f8dee2
Compare
The auto-generated `openfec-debuginfo` ELFs (the companion `*.debug`
files under `/usr/lib/debug/`) trip a generic high-entropy heuristic
in the automated malware scan that runs in our package signing
pipeline. High Shannon entropy is intrinsic to compressed DWARF
(`--compress-debug-sections=zlib`, the Azure Linux / Fedora default)
and is indistinguishable from packed/encrypted data to a generic
entropy heuristic. There is no obfuscator, packer, or third-party
blob involved — `Source0` is a clean Reed-Solomon/LDPC C library.
Failing RPMs blocked at signing:
- openfec-debuginfo-1.4.2.6-7.azl4~20260420.x86_64.rpm
- openfec-debuginfo-1.4.2.6-7.azl4~20260420.aarch64.rpm
Fix: inject `%global debug_package %{nil}` into the rendered spec via
a `spec-search-replace` overlay, which suppresses auto-generation of
the `*-debuginfo` subpackages entirely. The runtime `openfec`,
`openfec-devel`, and `openfec-utils` sub-packages are unaffected.
Trade-off: loses post-mortem `gdb`/`crash` capability for
`libopenfec.so.1.4.2` (binaries ship with stripped symbols only).
This is also the conventional move for components where the
auto-generated debuginfo is a known scanner trip point and there is
no business need for the debug symbols downstream.
PawelWMS
force-pushed
the
pawelwi/openfec-disable-debuginfo
branch
from
8f8dee2 to
5892dc3
Compare
christopherco
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes: AB#19876
Summary
Suppresses the auto-generated
*-debuginfosub-package foropenfecto work around a malware-scan false positive.Failing artefacts
openfec-debuginfo-1.4.2.6-7.azl4~20260420.x86_64.rpmopenfec-debuginfo-1.4.2.6-7.azl4~20260420.aarch64.rpmThe runtime
openfec,openfec-devel, andopenfec-utilssub-packages are NOT flagged. The SRPM is NOT flagged. Only the auto-generated debuginfo RPMs fail signing.Root cause
A high-entropy / packer detection heuristic in the signing pipeline's malware scanner fires on the per-library
.debugELF (/usr/lib/debug/usr/lib64/libopenfec.so.1.4.2-…<arch>.debug) produced by rpmbuild's standardfind-debuginfo.sh+dwzpipeline. This is a textbook AV/EDR false positive on stripped DWARF debug-info:.debug_info/.debug_str/.debug_loc/.debug_abbrevsections plus the densely-packed string tables look statistically identical to packed/encrypted payloads, especially with rpm's default--compress-debug-sections=zlib. The same heuristic fires on both architectures from the same%build, which is itself strong evidence that the trigger is the standard rpmbuild debuginfo pipeline rather than anything inSource0.Source0 (
openfec_1.4.2.6.tar.gz) is a small Reed-Solomon / LDPC-Staircase forward-erasure-correction C library; itstests/directory contains only.cfiles and there is no third-party blob anywhere in the tarball.Fix
This PR adds a
spec-search-replaceoverlay tobase/comps/openfec/openfec.comp.tomlthat injects%global debug_package %{nil}immediately before theName:line inspecs/o/openfec/openfec.spec. That single directive causes rpmbuild to skip thefind-debuginfo.shextraction step entirely, so the two failing*-debuginfoRPMs simply stop being produced.Trade-off
Loses post-mortem
gdb/crash/eu-stackdebugging support forlibopenfec.so.1.4.2. This is acceptable because:openfecis a small FEC math library with a narrow API surface..debugELF, since the trigger is the standard DWARF-extraction pipeline rather than anything specific to this build.What was considered and not chosen
-gz=nonevia CFLAGS (uncompressed DWARF). Lower-entropy but materially larger debuginfo RPMs and unverified whether AZL'sazurelinux-rpm-configmacros honour the per-spec%undefine _find_debuginfo_optscleanly. Kept as a documented fallback if the canonical fix needs to be reverted.Validation
azldev-in-container comp render -p openfec(rendered specs refreshed inspecs/o/openfec/).azldev-in-container comp update -p openfec(lock file refreshed inlocks/).openfec,openfec-devel, andopenfec-utilssub-packages built from the three%filesblocks in the spec are unaffected.