Debuginfod By Default
Fedora users / developers who need to debug/trace distro binaries can make use of the recently activated elfutils-debuginfod servers to automatically fetch debugging data and source code, instead of having to use
# sudo dnf commands.
- Name: Frank Ch. Eigler
- Email: email@example.com
- Name: Aaron Merey
- Email: firstname.lastname@example.org
- Targeted release: Fedora Linux 35
- Last updated: 2021-04-12
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Numerous fedora debugging-type tools have built-in capabilities to use the debuginfod protocol to fetch debuginfo/source code automatically. We would like to activate a setting so that Fedora's debuginfod servers are automatically used, rather than requiring hand-editing individual users' dot files.
There has existed broad interest in a Fedora debuginfod server since the project was proposed / announced in 2020, and several distros already operate public servers of this nature. Some of the distros configure their installations by default to talk to those servers, some do not.
Turning on this by default has some limited privacy implications. Some Debian users have expressed concerns that this facility "calls home" during debugging, so it may expose a limited amount of information about what a user is debugging. The information is limited to the build-id and source code file names of programs being debugged, and is only sent to the servers if their machine lacks locally installed debuginfo. Whether this should be opt-in or opt-out and how has been resolved there via an install-time query to the sysadmin. In contrast, on OpenSUSE Tumbleweed, it is simply defaulted-on, and we have heard of no controversy.
We anticipate discussing this topic on the mailing list, and noting it in the release notes either way.
What kinds of attacks might be possible with malicious debuginfo files?
It depends on the consumer tool - on their robustness, the privileges under which they operate, and the privilege of a resulting artifact if any.
How is it verified that files received from debuginfo servers have not been tampered with?
Debuginfod servers provide the verbatim contents of the verbatim distro archives, and transmit them securely across HTTPS. There is no per-file signing infrastructure in Fedora, and debuginfod doesn't add one. Thus there is no mechanism to manually verify these files, beyond downloading a corresponding signed archive out-of-band and comparing. The client side code will be taking some rudimentary measures with file permissions to reduce risk of accidental change. In principle, if the received files were tampered with, then the same tamperers could mess with the user's consumer tools and/or take over the account.
Is there any end-to-end authentication from the Fedora build system to my workstation – which there is with signed debuginfo packages – or do the tools blindly trust a whole network of federated debuginfo servers?
This change proposal does not relate to the whole network of federated debuginfo servers, but only to the Fedora official ones, which take content from the official Fedora build system only.
Does (calling "home" to debuginfod) happen every time, or are downloaded files cached locally?
Downloaded files are indeed cached locally. A cache hit means no calling home. See the debuginfod_find_debuginfo man page.
If there is a cache, when are old files purged from the cache?
The same man page identifies the config file parameters that govern this cleaning. The defaults are to retain files accessed during the last week.
Benefit to Fedora
This will improve developers' experience.
It may reduce download server burden, as only individual ELF/DWARF/source files are downloaded rather than entire
It would help Fedora catch up to other distros who put up
debuginfod servers already. :-)
- Proposal owners:
The work could consist one extra parameter in the
%configure. Its effect is to arrange for the
to install an
/etc/profile.d file that sets the
DEBUGINFOD_URLS environment variable automatically to
https://debuginfod.fedoraproject.org/. (At the time of this writing, the _staging_ server is getting ready for testing:
- Other developers: None - relevant code has been previously upstreamed!
- Release engineering: None - our team is operating the
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives: N/A
Note that these servers will index all active Fedora releases (32-), all architectures, so users of those versions can already set
DEBUGINFOD_URLS manually to take advantage.
How To Test
- Open arbitrary fedora binary via gdb.
- Admire the immediate downloading of debuginfo and source code.
eu-stack -v -p $pidfor an arbitrary process.
- Admire the immediate downloading of debuginfo to give precise file:line data.
Primarily: users running debuggers, profilers, tracing tools on internet-capable machines can work immediately, without switching to privileged users and fragile manual
dnf commands to install this data.
debuginfod servers at
fedora-infra need to be up.
- Contingency mechanism: change the elfutils-debuginfod-client subrpm to not set the default
DEBUGINFOD_URLSenvironment variable for all users. In the case of a server outage, the debugger tools revert to debuginfo-less operation, prior to this feature.
- Contingency deadline: shortly before freeze
- Blocks release? No
There is upstream documentation in the debugging tools as well as associated with the client code / cli tooling. What our Release Notes would focus on however is the _automatic activation_ of this facility via the environment variable.