Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2164250

Summary: Possibly unacceptable content packaged in Fedora: bundled abe.jar
Product: [Fedora] Fedora Reporter: Jan Pokorný [poki] <fedora>
Component: adb-enhancedAssignee: Fabian Affolter <mail>
Status: ASSIGNED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: mail, rfontana
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 182235    

Description Jan Pokorný [poki] 2023-01-24 22:28:31 UTC 
Friends don't let friends use binary bits of unknown origins,
not to speak of Fedora Packaging Guidelines violations, and
possible breach of bringing proprietary SW into libre-licenses
seeking distribution.

Was rather shocked that once I confused adb from android-tools
with adbe package, I observed a JAR file being installed along,
and indeed, this file is not built from sources:

https://github.com/ashishb/adb-enhanced/commit/c90b6b31700ebb117e50c3d03ab5fda38ced15b9

and -- AFAIK -- therefore forbidden from Fedora proper unless
an exception was granted, which does not seem to be the case,
see [bug 1814795].  In the same vein, the reviewer apparently
checked out something that should not have been in the first
place (for one if there are more eligible):

> [x]: Sources contain only permissible code or content.

And sadly, that's just for a starter.

The other possible problem related to "binary blob carried from
upstream", even if it was allowed, is that code that you don't
have sources to is totally non-transparent, which is just a step
from being actively harmful.  Lo and behold, when thrown into
VirusTotal.com, at least a single AV engine recognizes that JAR
as having traits of something previously recognized as malicious:

https://www.virustotal.com/gui/file/2a6e4d0d4bd77c94d0e09baade739596c35d73bb91cc79a17930e1574c41f272

This admittedly might be a false positive (previous scan for
the file of the same hash was showing all-green), but do
friends let friends expose themselves to unjustified risks?

Enthusiasm of everyone involved in bringing new kinds of
out-of-the-box "versatility" to Fedora is indeed admirable
and all, but I am afraid it went way too wrong here, nothing short
of a textbook example of how not to do it, that is, how recklessly.

Please, drop that JAR file from the package immediately, and try
to find a way of how to restore it by building it from sources
as expected in Fedora context, assuming the sources are likewise
under licensing that Fedora permits.

That being said, setting this bug as a blocker for [FE-Legal],
and rushing to remove that accidentally installed package locally.
As mentioned, I've meant to install android-tools anyway, but
at least this critical double-check emerged from this thinko.
Comment 1 Jan Pokorný [poki] 2023-01-24 22:44:29 UTC 
OK, apksigner.jar can possibly be built anew using public sources
that appear to be under Apache-2.0 (SPDX notation) license:

https://android.googlesource.com/platform/tools/apksig/+/master/src/main/java/com/android/apksig/ApkSigner.java

But then it might be a good idea to package it separately and
for the purpose of Fedora downstream, make adb-enhanced contain
a respective symlink into where the file is placed by that other
package, which would consequently become its "Requires:" specified
dependency.

Thanks for considering these circumstances and options.
Comment 2 Richard Fontana 2023-01-24 23:04:07 UTC 
I can't speak to the Fedora packaging guidelines, but from the Fedora legal standpoint, this package (at least in this form) must be removed from Fedora.
Comment 3 Ben Cotton 2023-02-07 15:06:21 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.
Comment 4 Fabian Affolter 2023-02-19 00:37:49 UTC 
> # Uses abe.jar taken from https://sourceforge.net/projects/adbextractor/

abe (https://github.com/nelenkov/android-backup-extractor) uses ASL 2.0.

abe.jar and apksigner.jar should definitly not be part of the package.