Review of new lintian tags
Hi,
Could you review and improve the new lintian tags ?
Thank you
Bastien
diff --git a/checks/changelog-file.desc b/checks/changelog-file.desc
index 5cfd484..2c6607f 100644
--- a/checks/changelog-file.desc
+++ b/checks/changelog-file.desc
@@ -342,6 +342,13 @@ Info: The latest entries in the Debian changelog file and NEWS.Debian file
changelog information is canonical and the NEWS.Debian information is
ignored, but it may be confusing to users to have them be different.
+Tag: bad-intended-distibution
+Severity: normal
+Certainty: wild-guess
+Experimental: yes
+Info: The last changelog entry is intended to be uploaded
+ to a particular distribution, whereas the changelog said otherwise.
+
Tag: version-refers-to-distribution
Severity: minor
Certainty: certain
diff --git a/checks/cruft.desc b/checks/cruft.desc
index c0e4e32..8d154b3 100644
--- a/checks/cruft.desc
+++ b/checks/cruft.desc
@@ -3,7 +3,7 @@ Author: Sean 'Shaleh' Perry <shaleh@debian.org>
Abbrev: deb
Type: source
Info: This looks for cruft in Debian packaging or upstream source
-Needs-Info: unpacked, debfiles, diffstat, file-info, index
+Needs-Info: unpacked, debfiles, diffstat, file-info, index, md5sums
Tag: native-package-with-dash-version
Severity: normal
@@ -326,7 +326,7 @@ Info: The Debian diff or native package contains a file ending in
Tag: diff-contains-substvars
Severity: normal
Certainty: certain
-Info: Lintian found a substvars file in the Debian diff for this source
+Info: Lintian found a substvars file in the Debian diff for this source
package. The debian/substvars (or debian/<tt>package</tt>.substvars) file
is usually generated and modified dynamically by debian/rules targets, in
which case it must be removed by the clean target.
@@ -432,6 +432,32 @@ Info: The source tarball contains a prebuilt ELF object. They are usually
directory first. You may want to report this as an upstream bug, in case
there is no sign that this was intended.
+Tag: source-contains-prebuilt-flash-object
+Severity: pedantic
+Certainty: possible
+Info: The source tarball contains a prebuilt flash object. They are usually
+ left by mistake when generating the tarball by not cleaning the source
+ directory first. You may want to report this as an upstream bug, in case
+ there is no sign that this was intended. An exception is multimedia files.
+ .
+ Please also ensure that flash object is under the preferred form
+ of modification.
+
+Tag: source-contains-prebuilt-java-object
+Severity: pedantic
+Certainty: possible
+Info: The source tarball contains a prebuilt java object. They are usually
+ left by mistake when generating the tarball by not cleaning the source
+ directory first. You may want to report this as an upstream bug, in case
+ there is no sign that this was intended.
+
+Tag: source-contains-prebuilt-silverlight-object
+Severity: serious
+Certainty: possible
+Info: The source tarball contains a prebuilt silverlight object.
+ This file are not buildable under debian and need non free
+ dependencies. This must be completely removed.
+
Tag: source-contains-prebuilt-windows-binary
Severity: pedantic
Certainty: certain
@@ -502,6 +528,21 @@ Info: The given source file is licensed under GFDL with invariant
Ref: http://wiki.debian.org/qa.debian.org/gfdlinvariant,
http://www.debian.org/vote/2006/vote_001
+Tag: license-problem-non-free-rfc
+Severity: serious
+Certainty: possible
+Info: The given source file is licensed under the newer RFC
+ license
+ .
+ The majority of IETF documents, such as RFCs, are not licensed
+ under DFSG-free terms, and should thus not be included in Debian's main.
+ .
+ Should this file be multi-licensed, please override the tag.
+ .
+ Should this be a false-positive, please report a bug.
+Ref: https://wiki.debian.org/NonFreeIETFDocuments
+
+
Tag: license-problem-gfdl-invariants-empty
Severity: minor
Certainty: possible
@@ -514,6 +555,52 @@ Info: The given source file is licensed under GFDL, but without any
Ref: http://wiki.debian.org/qa.debian.org/gfdlinvariant,
http://www.debian.org/vote/2006/vote_001
+Tag: license-problem-nvidia-intellectual
+Severity: serious
+Certainty: possible
+Info: The given source file include part license under a
+ non-distributable license from NVIDIA. Therefore, it is
+ not even possible to ship this in non-free.
+ .
+ Please re-package the package without the file (if possible)
+ or ask the ftp-masters to remove the package.
+ .
+ If the package has been uploaded to Debian before, please
+ remember to also notify snapshot.debian.org about this
+ package containing a non-distributable file.
+ .
+ Should this be a false-positive, please report a bug
+ against lintian.
+
+Tag: license-problem-md5sum-non-distribuable-file
+Severity: serious
+Certainty: certain
+Info: The following file is not distribuable even in non free archive.
+ .
+ Please re-package the package without the file (if possible)
+ or ask the ftp-masters to remove the package.
+ .
+ If the package has been uploaded to Debian before, please
+ remember to also notify snapshot.debian.org about this
+ package containing a non-distributable file.
+ .
+ Should this be a false-positive, please report a bug
+ against lintian.
+
+Tag: license-problem-md5sum-non-free-file
+Severity: serious
+Certainty: certain
+Info: The following file is not suitable for main or contrib.
+ .
+ Please re-package the package without the file (if possible)
+ or ask the ftp-masters to remove the package.
+ .
+ You could also split this package and move this file in the
+ non free archive.
+ .
+ Should this be a false-positive, please report a bug
+ against lintian.
+
Tag: source-contains-unsafe-symlink
Severity: serious
Certainty: possible
diff --git a/checks/fields.desc b/checks/fields.desc
index 8db6465..80cbb23 100644
--- a/checks/fields.desc
+++ b/checks/fields.desc
@@ -390,6 +390,20 @@ Info: This non-native package lacks a <tt>Homepage</tt> field. If the
field to <tt>debian/control</tt>.
Ref: policy 5.6.23
+Tag: homepage-in-binary-package
+Severity: wishlist
+Certainty: possible
+Info: This non-native source package produces at least one binary package
+ with a <tt>Homepage</tt> field. However, the source package itself has
+ no <tt>Homepage</tt> field. Unfortunately, this results in some
+ source-based tools/services (e.g. the PTS) not linking to the homepage
+ of the upstream project.
+ .
+ Note that you can just move the <tt>Homepage</tt> field to the source
+ paragraph in <tt>debian/control</tt> and all binary packages from this
+ source will inherit the value by default.
+Ref: policy 5.6.23
+
Tag: homepage-for-cpan-package-contains-version
Severity: minor
Certainty: certain
@@ -573,6 +587,13 @@ Info: The package declares a build-depends on an essential package, e.g. dpkg,
is if you need a particular version of that package, in which case the
version should be given in the dependency.
+Tag: build-depends-on-an-obsolete-java-package
+Severity: normal
+Certainty: certain
+Ref: java-policy 2.2
+Info: The package build-depends on an obsolete java dependency
+ It should built-depends on default-jdk instead.
+
Tag: build-depends-on-non-build-package
Severity: important
Certainty: certain
@@ -974,13 +995,15 @@ Info: This package is also provided by one of the Perl core packages
Ref: policy 7.5
Tag: vcs-field-uses-not-recommended-uri-format
-Severity: minor
+Severity: normal
Certainty: possible
Info: The VCS-* field uses an URI which doesn't match the recommended
format, but still looks valid. Examples for not recommended URI formats
are protocols that require authentication (like SSH). Instead where
possible you should provide an URI that is accessible for everyone
without authentication.
+ .
+ This renders debcheckout(1) unusable in these cases.
Tag: vcs-field-uses-unknown-uri-format
Severity: normal
diff --git a/checks/files.desc b/checks/files.desc
index b98f414..17fcfb4 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -70,9 +70,15 @@ Tag: package-installs-into-etc-rc.boot
Severity: serious
Certainty: certain
Info: The package installs files in the <tt>/etc/rc.boot</tt> directory,
- which is obsolete. See rc.boot(5) for details.
+ which is obsolete.
Ref: policy 9.3.4
+Tag: package-install-into-obsolete-dir
+Severity: normal
+Certainty: certain
+Info: The package installs files in an obsolete dir. You
+ should consider to move to newer path.
+
Tag: non-standard-file-permissions-for-etc-init.d-script
Severity: important
Certainty: certain
@@ -922,6 +928,105 @@ Info: This package contains an embedded copy of JavaScript libraries
package and symlink the library into the appropriate location.
Ref: policy 4.13
+Tag: privacy-breach-generic
+Severity: important
+Certainty: wild-guess
+Experimental: yes
+Info: This package creates a privacy breach by fetching some data from
+ an external website. Please remove these scripts or external html
+ resources.
+
+Tag: privacy-breach-google-adsense
+Severity: serious
+Certainty: possible
+Info: This package creates a privacy breach by using Google Adsense.
+ Google Adsense is a service run by Google that allows publishers of web
+ sites to automatically serve advertisements. Unfortunately, it requires
+ tracking and breaching privacy of our users.
+ .
+ This tag can also indicate the use of related obsolete privacy breaker
+ software, Urchin WebAnalytics.
+ .
+ Note that using Google Adsense in a local copy of a page is a violation of
+ Google Adsense terms of use. This violation renders this package not
+ distributable in Debian, and thus a serious bug.
+
+Tag: privacy-breach-donation
+Severity: serious
+Certainty: possible
+Ref: https://wiki.debian.org/UpstreamMetadata
+Info: This package create a privacy breach by fetching some data from
+ a donation website.
+ .
+ Please remove these privacy problem and add a note on debian/upstream
+ file using the donation field.
+
+Tag: privacy-breach-logo
+Severity: serious
+Certainty: possible
+Info: This package phone home by retrieving some logo.
+ .
+ Before using a local copy you should be sure that the corresponding
+ logo is suitable for main. Ask debian-legal for advices.
+
+Tag: privacy-breach-facebook
+Severity: serious
+Certainty: possible
+Info: This package create a privacy breach by fetching some data from
+ facebook like share or like buttons.
+ Please remove these scripts or frames.
+
+Tag: privacy-breach-google-cse
+Severity: serious
+Certainty: possible
+Info: This package create a privacy breach by fetching some data from
+ google search engine and feed some private data to google.
+ Please remove these scripts.
+
+Tag: privacy-breach-piwik
+Severity: serious
+Certainty: possible
+Info: This package creates a privacy breach by using piwik.
+ Piwik is a free and open source web analytics application.
+ .
+ Even if piwik is free and respect the "do not track" browser
+ option, it is nevertheless a breach on our user privacy.
+
+Tag: privacy-breach-statistics-website
+Severity: important
+Certainty: possible
+Info: This package creates a privacy breach by fetching some
+ data from external website in order to made visitor statistics.
+ .
+ Please remove these scripts from the local copy of the page.
+ .
+ Please ask upstream to use free software piwik that respect
+ "do not track" browser option.
+ .
+ This tag include the following website:
+ - cruel-carlota.pagodabox.com
+ - linkexchange.com (defunct)
+ - nedstatbasic.net
+ - statcounter.com
+ - sitemeter.com
+ - webstats.motigo.com
+
+Tag: privacy-breach-w3c-valid-html
+Severity: serious
+Certainty: possible
+Ref: http://validator.w3.org/docs/help.html#icon,
+ http://www.w3.org/Consortium/Legal/logo-usage-20000308
+Info: This package creates a privacy breach by w3c valid documents icons.
+ .
+ To show readers that one has taken some care to create an interoperable
+ Web page, a "W3C valid" badge may be displayed on any page that validates.
+ .
+ Unfortunatly it means phoning home and download image from w3c website,
+ and thus allowing to track users.
+ .
+ Note that these icons are non free and must not be copied
+ inside the package. You could safely delete this "W3C valid" badge.
+
Tag: embedded-feedparser-library
Severity: normal
Certainty: certain
@@ -1040,9 +1145,8 @@ Severity: important
Certainty: certain
Ref: http://lists.debian.org/debian-devel/2009/03/msg00119.html
Info: Files in <tt>/etc/modprobe.d</tt> should use filenames ending in
- <tt>.conf</tt>. modprobe currently warns about files which do not match
- this convention and at some point in the future the files will no longer
- be processed.
+ <tt>.conf</tt>. modprobe silently ignores all files which do not match
+ this convention.
.
If the file is an example containing only comments, consider installing
it in another location as files in <tt>/etc/modprobe.d</tt> are
@@ -1303,6 +1407,10 @@ Certainty: possible
Info: The arch all pkg-config file contains reference to an multi-arch path.
.
This can be usually be fixed by moving this file to a multi-arch path.
+ .
+ Another likely cause is using debhelper 9 or newer (thus enabling
+ multi-arch paths by default) on a non multi-arched package.
+ The usual cure is in this case to render your package multi-arch.
Tag: dir-or-file-in-home
Severity: serious
diff --git a/checks/rules.desc b/checks/rules.desc
index 2352c88..abc9d9e 100644
--- a/checks/rules.desc
+++ b/checks/rules.desc
@@ -77,7 +77,7 @@ Info: The <tt>debian/rules</tt> file for this package appears to
include a Makefile that has been deprecated. Please refer to the
documentation of the providing package for a replacement (if any).
-Tag: debian-rules-uses-pwd
+Tag: debian-rules-should-not-use-pwd
Severity: normal
Certainty: certain
Info: The <tt>debian/rules</tt> file for this package appears to use the
@@ -110,14 +110,14 @@ Info: A rule in the <tt>debian/rules</tt> file for this package calls the
so that other error messages from the clean or distclean rule will still
be caught (or just remove the "-" if the package uses a static makefile).
-Tag: debian-rules-uses-DEB_BUILD_OPTS
+Tag: debian-rules-should-not-use-DEB_BUILD_OPTS
Severity: normal
Certainty: certain
Info: The standard environment variable for build options is
DEB_BUILD_OPTIONS. Usually, referring to DEB_BUILD_OPTS is a mistake and
DEB_BUILD_OPTIONS was intended instead.
-Tag: debian-rules-automatically-updates-control
+Tag: debian-rules-should-not-automatically-update-control
Severity: serious
Certainty: possible
Info: DEB_AUTO_UPDATE_DEBIAN_CONTROL appears to be set to <tt>yes</tt> in
@@ -210,7 +210,7 @@ Info: The package appears to use an <tt>ExtUtils::MakeMaker</tt>
should be replaced with
make install DESTDIR=$(TMP) # RIGHT
-Tag: debian-rules-uses-or-modifies-user-only-variable
+Tag: debian-rules-should-not-use-or-modify-user-only-variable
Severity: normal
Certainty: possible
Ref: #631786
@@ -222,6 +222,21 @@ Info: The rules files appear to be reading or modifying a variable not
can be used by users, who wants to re-compile debian packages with
special (or non-standard) build flags.
+Tag: debian-rules-should-not-use-underscore-variable
+Severity: normal
+Certainty: possible
+Ref: policy 4.9
+Info: The rules file use the make variable $(_).
+ .
+ According to Policy 4.9, "invoking either of `make -f debian/rules
+ _args..._' or `./debian/rules _args..._' must result in identical
+ behavior." One way to inadvertently violate this policy is to use the $_
+ variable.
+ .
+ If rules file uses $(dir $(_)) to discover directory containing
+ source package (presumably in order to implement get-orig-source
+ target), please replace it by $(dir $(firstword $(MAKEFILE_LIST))).
+
Tag: package-would-benefit-from-build-arch-targets
Severity: normal
Certainty: certain
diff --git a/checks/scripts.desc b/checks/scripts.desc
index f8f30f6..6e03135 100644
--- a/checks/scripts.desc
+++ b/checks/scripts.desc
@@ -359,7 +359,7 @@ Info: Maintainer scripts must not create device files directly. They
If <tt>mknod</tt> is being used to create a FIFO (named pipe), use
<tt>mkfifo</tt> instead to avoid triggering this tag.
-Tag: start-stop-daemon-in-maintainer-script
+Tag: maintainer-script-should-not-use-start-stop-daemon
Severity: normal
Certainty: certain
Info: The maintainer script seems to call <tt>start-stop-daemon</tt>
@@ -453,7 +453,7 @@ Info: This script calls update-xmlcatalog, which comes from the xml-core
dh_installxmlcatalogs, add a dependency on ${misc:Depends} and
dh_installxmlcatalogs will take care of this for you.
-Tag: update-alternatives-remove-called-in-postrm
+Tag: maintainer-script-should-not-use-update-alternatives-remove
Severity: normal
Certainty: certain
Info: <tt>update-alternatives --remove <alternative> foo</tt> is
@@ -470,7 +470,18 @@ Info: <tt>update-alternatives --remove <alternative> foo</tt> is
instead.
Ref: policy F, update-alternatives(8)
-Tag: deprecated-chown-usage
+Tag: maintainer-script-should-not-use-update-alternatives-set
+Severity: normal
+Certainty: certain
+Info: <tt>update-alternatives --set <alternative> foo</tt> or
+ <tt>update-alternatives --config <alternative></tt> or
+ <tt>update-alternatives --set-selections</tt>
+ called in maitainer script. Thus it's impossible to distinguish
+ between an alternative that's manually set because the user set it,
+ vs. one that's manually set because the package set it.
+Ref: update-alternatives(8)
+
+Tag: maintainer-script-should-not-use-deprecated-chown-usage
Severity: normal
Certainty: certain
Info: <tt>chown user.group</tt> is called in one of the maintainer
@@ -479,7 +490,7 @@ Info: <tt>chown user.group</tt> is called in one of the maintainer
as a system uses the "." in user or group names.
Ref: chown(1)
-Tag: maintainer-script-hides-init-failure
+Tag: maintainer-script-should-not-hide-init-failure
Severity: normal
Certainty: certain
Info: This script calls invoke-rc.d to run an init script but then, if the
@@ -501,13 +512,13 @@ Info: This script apparently runs an init script directly rather than
available.
Ref: policy 9.3.3.2
-Tag: gconftool-used-in-maintainer-script
+Tag: maintainer-script-should-not-use-gconftool
Severity: normal
Certainty: possible
Info: This script apparently runs gconftool or gconftool-2. It should
probably be calling gconf-schemas or update-gconf-defaults instead.
-Tag: fc-cache-used-in-maintainer-script
+Tag: maintainer-script-should-not-use-fc-cache
Severity: normal
Certainty: possible
Info: This script apparently runs fc-cache. Updating of the fontconfig
@@ -515,7 +526,7 @@ Info: This script apparently runs fc-cache. Updating of the fontconfig
from maintainer scripts is no longer necessary.
Tag: install-info-used-in-maintainer-script
-Severity: normal
+Severity: serious
Certainty: possible
Info: This script apparently runs <tt>install-info</tt>. Updating the
<tt>/usr/share/info/dir</tt> file is now handled automatically by
@@ -525,7 +536,7 @@ Info: This script apparently runs <tt>install-info</tt>. Updating the
If debhelper generated the maintainer script fragment, rebuilding the
package with debhelper 7.2.17 or later will fix this problem.
-Tag: maintainer-script-uses-dpkg-status-directly
+Tag: maintainer-script-should-not-use-dpkg-status-directly
Severity: important
Certainty: certain
Info: The file /var/lib/dpkg/status is internal to dpkg, may disappear or
@@ -539,7 +550,7 @@ Info: The file /var/lib/dpkg/status is internal to dpkg, may disappear or
instead.
Ref: http://wiki.debian.org/DpkgConffileHandling
-Tag: maintainer-script-modifies-netbase-managed-file
+Tag: maintainer-script-should-not-modify-netbase-managed-file
Severity: serious
Certainty: certain
Info: The maintainer script modifies at least one of the files
@@ -556,7 +567,7 @@ Info: The maintainer script modifies <tt>/etc/inetd.conf</tt> directly.
<tt>update-inetd</tt> script or the <tt>DebianNet.pm</tt> Perl module.
Ref: policy 11.2
-Tag: maintainer-script-modifies-ld-so-conf
+Tag: maintainer-script-should-not-modify-ld-so-conf
Severity: important
Certainty: possible
Info: This package appears to modify <tt>/etc/ld.so.conf</tt> and does not
@@ -573,15 +584,33 @@ Info: This package appears to modify <tt>/etc/ld.so.conf</tt> and does not
packages may cause random segfaults and difficult-to-debug problems
instead of conflicts in the package manager.
-Tag: install-sgmlcatalog-deprecated
+Tag: maintainer-script-should-not-use-install-sgmlcatalog
+Severity: important
+Certainty: certain
+Info: The maintainer script apparently runs install-sgmlcatalog.
+ install-sgmlcatalog is deprecated and should only have been used
+ in postinst or prerm to remove the entries from earlier packages.
+ Given how long ago this transition was, consider removing it
+ entirely.
+
+Tag: maintainer-script-should-not-use-service
Severity: important
Certainty: certain
-Info: The maintainer script apparently runs install-sgmlcatalog with flags
- other than <tt>--quiet</tt> and <tt>--remove</tt> or in a maintainer
- script other than postinst or prerm. install-sgmlcatalog is deprecated
- and should only be used in postinst or prerm to remove the entries from
- earlier packages. Given how long ago this transition was, consider
- removing it entirely.
+Experimental: yes
+Info: The maintainer script apparently runs service command.
+ This command is reserved for local
+ administrators and must never be used by a Debian package.
+
+Tag: maintainer-script-should-not-use-adduser-system-without-home
+Severity: serious
+Certainty: certain
+Info: The maintainer script apparently runs adduser --system
+ without specifying --home option outside /home/.
+ The FHS says "/home is a fairly standard concept, but it
+ is clearly a site-specific filesystem. The setup will differ
+ from host to host. Therefore, no program should rely on this
+ location."
+Ref: fhs homeuserhomedirectories
Tag: maintainer-script-empty
Severity: minor
@@ -628,14 +657,14 @@ Info: The indicated program run in a maintainer script has a prepended
workarounds in the developer's reference can be used.
Ref: policy 6.1, devref 6.4
-Tag: ancient-dpkg-epoch-check
+Tag: maintainer-script-should-not-use-ancient-dpkg-epoch-check
Severity: minor
Certainty: certain
Info: The package calls dpkg --assert-working-epoch in a maintainer
script. This check is obsolete and has always returned true since dpkg
1.4.0.7, released 1997-01-25.
-Tag: ancient-dpkg-multi-conrep-check
+Tag: maintainer-script-should-not-use-ancient-dpkg-multi-conrep-check
Severity: minor
Certainty: certain
Info: The package calls dpkg --assert-multi-conrep in a maintainer
diff --git a/checks/watch-file.desc b/checks/watch-file.desc
index f35ce8c..b2ae481 100644
--- a/checks/watch-file.desc
+++ b/checks/watch-file.desc
@@ -138,6 +138,38 @@ Info: The watch file specifies an upstream version number which matches
upstream version. Otherwise, DEHS and similar projects will think the
package is out of date even when it may not be.
+Tag: debian-watch-may-check-gpg-signature
+Severity: pedantic
+Certainty: certain
+Ref: uscan(1)
+Info: This watch file does not include a means to verify
+ the upstream tar using cryptographic signature.
+ .
+ If upstream distributions provide such signatures please
+ use the pgpsigurlmangle options in this watch file
+ opts= to generate the upstream URL of an GPG signature.
+ This signature is automatically downloaded and verified
+ against a keyring stored in debian/upstream-signing-key.pgp
+ .
+ Of course, not all upstream distributions provide such
+ signatures but you could try to request such signatures
+ from upstream and thus verifying that not a third party
+ modified the code after the release against the will
+ of upstream. We all know the phpmyadmin, unrealircd
+ or proftpd security bugs (only to mention some of
+ them). This would at least make it a lot harder for an
+ attacker to get such code to a wider audience through
+ distributions like Debian.
+
+Tag: debian-watch-file-pubkey-file-is-missing
+Severity: important
+Certainty: certain
+Ref: uscan(1)
+Info: This watch file verify cryptographic signature but
+ the upstream public key is missing.
+ .
+ Please add upstream public keys in debian/upstream-signing-key.pgp.
+
Tag: debian-watch-contains-dh_make-template
Severity: wishlist
Certainty: certain
Reply to: