{"id":376,"date":"2020-05-29T10:56:17","date_gmt":"2020-05-29T10:56:17","guid":{"rendered":"http:\/\/thomas.goirand.fr\/blog\/?p=376"},"modified":"2020-05-29T10:56:17","modified_gmt":"2020-05-29T10:56:17","slug":"a-quick-look-into-storcli-packaging-horror","status":"publish","type":"post","link":"http:\/\/thomas.goirand.fr\/blog\/?p=376","title":{"rendered":"A quick look into Storcli packaging horror"},"content":{"rendered":"\n

So, Megacli is to be replaced by Storcli, both being proprietary tools for configuring RAID cards from LSI.<\/p>\n\n\n\n

So I went to download what’s provided by Lenovo, available here:
https:\/\/support.lenovo.com\/fr\/en\/downloads\/ds041827<\/p>\n\n\n\n

It’s very annoying, because they force users to download a .zip file containing a deb file, instead of providing a Debian repository. Well, ok, though at least there’s a deb file there. Let’s have a look what’s using my favorite tool before installing (ie: let’s run Lintian).
Then it’s a horror story. Not only there’s obvious packaging wrong, like the package provide stuff in \/opt, and all is statically linked and provide embedded copies of libm and ncurses, or even the package is marked arch: all instead of arch: amd64 (in fact, the package contains both i386 and amd64 arch files…), but there’s also some really wrong things going on:
<\/p>\n\n\n\n

E: storcli: arch-independent-package-contains-binary-or-object opt\/MegaRAID\/storcli\/storcli
\nE: storcli: embedded-library opt\/MegaRAID\/storcli\/storcli: libm
\nE: storcli: embedded-library opt\/MegaRAID\/storcli\/storcli: ncurses
\nE: storcli: statically-linked-binary opt\/MegaRAID\/storcli\/storcli
\nE: storcli: arch-independent-package-contains-binary-or-object opt\/MegaRAID\/storcli\/storcli64
\nE: storcli: embedded-library opt\/MegaRAID\/storcli\/storcli64: libm
\nE: storcli: embedded-library \u2026 use –no-tag-display-limit to see all (or pipe to a file\/program)
\nE: storcli: statically-linked-binary opt\/MegaRAID\/storcli\/storcli64
\nE: storcli: changelog-file-missing-in-native-package
\nE: storcli: control-file-has-bad-permissions postinst 0775 != 0755
\nE: storcli: control-file-has-bad-owner postinst asif\/asif != root\/root
\nE: storcli: control-file-has-bad-permissions preinst 0775 != 0755
\nE: storcli: control-file-has-bad-owner preinst asif\/asif != root\/root
\nE: storcli: no-copyright-file
\nE: storcli: extended-description-is-empty
\nW: storcli: essential-no-not-needed
\nW: storcli: unknown-section storcli
\nE: storcli: depends-on-essential-package-without-using-version depends: bash
\nE: storcli: wrong-file-owner-uid-or-gid opt\/ 1000\/1000
\nW: storcli: non-standard-dir-perm opt\/ 0775 != 0755
\nE: storcli: wrong-file-owner-uid-or-gid opt\/MegaRAID\/ 1000\/1000
\nE: storcli: dir-or-file-in-opt opt\/MegaRAID\/
\nW: storcli: non-standard-dir-perm opt\/MegaRAID\/ 0775 != 0755
\nE: storcli: wrong-file-owner-uid-or-gid opt\/MegaRAID\/storcli\/ 1000\/1000
\nE: storcli: dir-or-file-in-opt opt\/MegaRAID\/storcli\/
\nW: storcli: non-standard-dir-perm opt\/MegaRAID\/storcli\/ 0775 != 0755
\nE: storcli: wrong-file-owner-uid-or-gid \u2026 use –no-tag-display-limit to see all (or pipe to a file\/program)
\nE: storcli: dir-or-file-in-opt opt\/MegaRAID\/storcli\/storcli
\nE: storcli: dir-or-file-in-opt \u2026 use –no-tag-display-limit to see all (or pipe to a file\/program)<\/p>\n\n\n\n

Some of the above are grave security problems, like wrong Unix mode for folders, even with the preinst script installed as non-root.
I always wonder why this type of tool needs to be proprietary. They clearly don’t know how to get packaging right, so they’d better just provide the source code, and let us (the Debian community) do the work for them. I don’t think there’s any secret that they are keeping by hiding how to configure the cards, so it’s not in the vendor’s interest to keep everything closed. Or maybe they are just hiding really bad code in there, that they are ashamed to share? In any way, they’d better not provide any package than this pile of dirt (and I’m trying to stay polite here…).
<\/p>\n","protected":false},"excerpt":{"rendered":"

So, Megacli is to be replaced by Storcli, both being proprietary tools for configuring RAID cards from LSI. So I went to download what’s provided by Lenovo, available here:https:\/\/support.lenovo.com\/fr\/en\/downloads\/ds041827 It’s very annoying, because they force users to download a .zip file containing a deb file, instead of providing a Debian repository. Well, ok, though at […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/thomas.goirand.fr\/blog\/index.php?rest_route=\/wp\/v2\/posts\/376"}],"collection":[{"href":"http:\/\/thomas.goirand.fr\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/thomas.goirand.fr\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/thomas.goirand.fr\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/thomas.goirand.fr\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=376"}],"version-history":[{"count":1,"href":"http:\/\/thomas.goirand.fr\/blog\/index.php?rest_route=\/wp\/v2\/posts\/376\/revisions"}],"predecessor-version":[{"id":377,"href":"http:\/\/thomas.goirand.fr\/blog\/index.php?rest_route=\/wp\/v2\/posts\/376\/revisions\/377"}],"wp:attachment":[{"href":"http:\/\/thomas.goirand.fr\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=376"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/thomas.goirand.fr\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=376"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/thomas.goirand.fr\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}