Redundant manual reviews

aguang-xyz · November 10, 2020, 8:49am

Hi there,

I’m the developer of aurora-editor, which is an electron-based markdown editor. Recently I integrated puppeteer to achieve some new features like exporting documents to images.

Since the puppeteer library has some internal executable binaries as chromium drivers, the new release triggered some manual review process (revision#46). I understand that you are trying the best to protect users’ security. I explained the reason for containing binary files in that release and it has been approved. But today when I tried to push a new release again, some similar manual review process (revision#47) has been triggered again.

Just some advice, I think your process can be more friendly for developers by storing the approved executable binaries (path and content hash) and avoiding redundant manual reviews.

Many thanks,
Grey Wang

jdstrand · November 11, 2020, 11:04pm

The warning for r46 was: “Found files with executable stack. This adds PROT_EXEC to mmap(2) during mediation which may cause security denials. Either adjust your program to not require an executable stack, strip it with ‘execstack --clear-execstack …’ or remove the affected file from your snap. Affected files: resources/app.asar.unpacked/node_modules/puppeteer/.local-chromium/linux-809590/chrome-linux/nacl_irt_x86_64.nexe”

Have your tried to clear executable stack? Please see Snap and executable stacks for more information.

aguang-xyz · November 14, 2020, 2:17am

@jdstrand Thanks a lot for your reply.

Yeah, I know the reason of this manual review. But in some cases, the executable stack might be necessary for the application. For my case, I can change the logic to exclude the binary driver out of the snap package and trigger some downloading when first time running this function. But that would be not good for the user’s experience.

I understand your security policy and why this kind of release with executable binaries need to be reviewed manually. What I want to say is that since in release #46, the binary executable file has been approved manually, it could be not necessary to trigger a new manual review when I push some release with the same binary file. You can do better on the processing logic.