Bug#856975: lintian: add a check for wrong uses of Multi-Arch: foreign on shared libraries

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#856975: lintian: add a check for wrong uses of Multi-Arch: foreign on shared libraries
From: Helmut Grohne <helmut@subdivi.de>
Date: Mon, 6 Mar 2017 21:05:19 +0100
Message-id: <[🔎] 20170306200517.jdzgq2u6ypnjwmnv@alf.mars>
Reply-to: Helmut Grohne <helmut@subdivi.de>, 856975@bugs.debian.org

Package: lintian
Version: 2.5.50.1
Severity: wishlist
Tags: patch
User: helmutg@debian.org
Usertags: rebootstrap

While working on cross building the Debian archive, I noticed a pattern.
A number of packages are marked Multi-Arch: foreign even though they
shouldn't be. If you look into the conflicts table of
https://bootstrap.debian.net/cross_all.html, you'll notice a number of
conflicts where both chains start with a -dev package. For instance,
src:kdepim-runtime has chains to libkf5service-bin via
libkf5akonadicontact-dev and libkf5textwidgets-dev. Why would both
chains (host and build arch) start with a -dev package? Because one of
them is wrongly marked Multi-Arch: foreign.

After a bit of research and fruitful discussion with Guillem Jover and
Johannes Schauer, we spot a subpattern. The following condition seems to
identify some wrong uses of Multi-Arch: foreign with high precision
(presently no known false positives):
 * A binary package is architecture-dependent (not Architecture: all).
 * It has Multi-Arch: foreign of course.
 * It ships a shared library in a public search path (i.e. a .so file,
   in most cases the symlink in a -dev package).
 * It does not ship any programs on $PATH.

The last condition filters a number of false positives that would
otherwise occur. Some tools ship private shared libraries or plugins on
the public library search path. Such use can be compatible with
Multi-Arch: foreign (e.g.  binutils-<triplet>).

Presently the check will identify the following binary packages (of sid
main amd64) and it is reported by the multiarch hinter[1]:

libcaffe-cpu-dev libfoma-dev libgexiv2-dev libgmsh-dev
libgtkdataboxmm-dev libimobiledevice-dev libjava-gmsh2
libkf5akonadicontact-dev libkf5akonadinotes-dev libkf5akonadisearch-dev
libkf5akonadisocialutils-dev libkf5alarmcalendar-dev libkf5blog-dev
libkf5calendarutils-dev libkf5gapi-dev libkf5gpgmepp-dev
libkf5identitymanagement-dev libkf5imap-dev libkf5kdelibs4support-dev
libkf5kontactinterface-dev libkf5mailtransport-dev libkf5mbox-dev
libkf5mime-dev libkf5pimtextedit-dev libkf5syndication-dev
libkf5tnef-dev liblognorm-dev libpocl-dev libpoclu-dev libquadrule-dev
libsnl-dev libsquirrel-dev libtet1.5-dev

In the attached patch, the new tag is called
multiarch-foreign-shared-library. Guillem Jover proposed
multiarch-foreign-with-shared-library instead, but since most hits are
primarily shared libraries, I currently prefer to stick with the shorter
name.

Johannes Schauer questioned the use of Certainty: wild-guess. I am not
sure what to put here as even empty-binary-package (which looks pretty
reliable to me) is marked as wild-guess. Thus I went conservative.

So please consider adding this new check for buster. Also excuse my bad
perl and tell me how to improve it.

Helmut

[1] https://wiki.debian.org/MultiArch/Hints

diff --minimal -Nru lintian-2.5.50.1/checks/files.desc lintian-2.5.50.1+nmu1/checks/files.desc
--- lintian-2.5.50.1/checks/files.desc	2016-12-01 21:31:08.000000000 +0100
+++ lintian-2.5.50.1+nmu1/checks/files.desc	2017-03-05 21:15:32.000000000 +0100
@@ -1729,3 +1729,14 @@
  not contain the actual directory itself.  Some tools do not cope
  very well with this case. Notably Lintian prior to 2.5.32 would
  crash on such packages.
+
+Tag: multiarch-foreign-shared-library
+Severity: important
+Certainty: wild-guess
+Info: The package is architecture-dependent, ships a shared library in
+ a public library search path and is marked Multi-Arch: foreign. Typically,
+ shared libraries are marked Multi-Arch: same when possible. Sometimes, private
+ shared libraries are put into the public library search path to accomodate
+ programs in the same package, but this package does not contain any programs.
+ .
+ Please remove the Multi-Arch: foreign stanza.
diff --minimal -Nru lintian-2.5.50.1/checks/files.pm lintian-2.5.50.1+nmu1/checks/files.pm
--- lintian-2.5.50.1/checks/files.pm	2017-01-29 21:00:48.000000000 +0100
+++ lintian-2.5.50.1+nmu1/checks/files.pm	2017-03-05 21:22:01.000000000 +0100
@@ -259,7 +259,8 @@
 
 sub run {
     my ($pkg, $type, $info, $proc) = @_;
-    my ($is_python, $is_perl, $has_binary_perl_file);
+    my ($is_python, $is_perl, $has_binary_perl_file, $has_public_executable,
+        $has_public_shared_library);
     my @nonbinary_perl_files_in_lib;
     my %linked_against_libvga;
     my @devhelp;
@@ -274,7 +275,7 @@
     my $source_pkg = $proc->pkg_src;
     my $pkg_section = $info->field('section', '');
     my $arch = $info->field('architecture', '');
-    my $isma_same = $info->field('multi-arch', '') eq 'same';
+    my $multiarch = $info->field('multi-arch', 'no');
     my $ppkg = quotemeta($pkg);
 
     # get the last changelog timestamp
@@ -358,6 +359,7 @@
         $arch_dep_files = 1 if $fname !~ m,^usr/share/,o && $fname ne 'usr/';
 
         if (exists($PATH_DIRECTORIES{$file->dirname})) {
+            $has_public_executable = 1;
             tag 'file-name-in-PATH-is-not-ASCII', $file
               if $file->basename !~ m{\A [[:ascii:]]++ \Z}xsm;
         } elsif (!is_string_utf8_encoded($fname)) {
@@ -847,7 +849,6 @@
                             or index($block,'pkg-config')  > -1)
                       ) {
                         tag 'old-style-config-script',$file;
-                        my $multiarch = $info->field('multi-arch', 'no');
                         # could be ok but only if multi-arch: no
                         if($multiarch ne 'no' or $arch eq 'all') {
                             # check multi-arch path
@@ -1084,6 +1085,11 @@
             }
         }
 
+        if ($fname =~ m,(?:usr/)?lib/(?:([^/]+)/)?lib[^/]*\.so$,) {
+            $has_public_shared_library = 1
+              if (!defined($1) || $TRIPLETS->known($1));
+        }
+
         # ---------------- .pyc/.pyo (compiled Python files)
         #  skip any file installed inside a __pycache__ directory
         #  - we have a separate check for that directory.
@@ -1549,7 +1555,7 @@
                     }
                     close($fd);
                     if ($mtime != 0) {
-                        if ($isma_same && $file !~ m/\Q$arch\E/) {
+                        if ($multiarch eq 'same' && $file !~ m/\Q$arch\E/) {
                             tag 'gzip-file-is-not-multi-arch-same-safe',$file;
                         } else {
                             # see https://bugs.debian.org/762105
@@ -1932,6 +1938,12 @@
         tag 'package-mixes-misc-and-dpi-fonts';
     }
 
+    tag 'multiarch-foreign-shared-library'
+      if $arch ne 'all'
+          and $multiarch eq 'foreign'
+          and $has_public_shared_library
+          and !$has_public_executable;
+
     return;
 }
 
diff --minimal -Nru lintian-2.5.50.1/debian/changelog lintian-2.5.50.1+nmu1/debian/changelog
--- lintian-2.5.50.1/debian/changelog	2017-02-04 16:05:07.000000000 +0100
+++ lintian-2.5.50.1+nmu1/debian/changelog	2017-03-05 21:22:21.000000000 +0100
@@ -1,3 +1,10 @@
+lintian (2.5.50.1+nmu1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * New tag: multiarch-foreign-shared-library
+
+ -- Helmut Grohne <helmut@subdivi.de>  Sun, 05 Mar 2017 21:22:21 +0100
+
 lintian (2.5.50.1) unstable; urgency=medium
 
   * debian/copyright:

Reply to:

Next by Date: Bug#857028: debhelper: dh_gencontrol should discard Multi-Arch: no
Next by thread: Bug#857028: debhelper: dh_gencontrol should discard Multi-Arch: no
Index(es):
- Date
- Thread