Bug#231770: lintian: Add checks for prompting in maintainerscripts

To: 231770@bugs.debian.org
Subject: Bug#231770: lintian: Add checks for prompting in maintainerscripts
From: Luk Claes <luk@debian.org>
Date: Wed, 11 Apr 2007 08:46:36 +0200
Message-id: <[🔎] 461C844C.5010404@debian.org>
Reply-to: Luk Claes <luk@debian.org>, 231770@bugs.debian.org
In-reply-to: <[🔎] 87tzvovi50.fsf@windlord.stanford.edu>
References: <[🔎] 461B2F11.208@debian.org> <[🔎] 87tzvovi50.fsf@windlord.stanford.edu>

Russ Allbery wrote:
> Luk Claes <luk@debian.org> writes:
> 
>> tags 231770 +patch
>> thanks
> 
>> Hi
> 
>> Easy patch included for consideration.
> 
> My concern about the simple approach to this (which I never sent to the
> bug; my bad) is that the other major use of read besides prompting is for
> parsing files.  It's not uncommon to see a construct like:
> 
>     while read facility destination ; do
>         # do something with facility and destination
>     done < /etc/syslog.conf
> 
> Your patch won't produce false positives with this, but I don't know if
> there are any scripts that do something similar but don't use that
> explicit of a loop.  I don't see any in a quick check on my system, but I
> only have a few packages installed.

I would be surprised to see it happen, but if it happens we can always improve
the checking, no?

> The other problem is that some packages fall back on read when debconf
> isn't available (Postfix, for example) and others intentionally don't use
> debconf (libc6).  I'm not sure how to handle those cases, and this patch
> would definitely give false positives for Postfix unless we think that it
> shouldn't support a fallback if debconf is missing.  There are several
> other packages on my system with similar fallbacks (flex, fvwm, and
> openssh-server) in their *.preinst files.
> 
> I wonder if we could work around the case where read is used only as a
> fallback by not issuing this diagnostic for scripts that also try to use
> debconf and just assume that if the maintainer is using debconf at all,
> they know what they're doing.  That leaves the packages that are
> intentionally avoiding use of debconf, but maybe if we exempt essential
> packages from this check (plus things like libc6 that are essential in
> practice), that would cut the false positives down sufficiently.
> 
> What do you think?

Why would essential packages not try to use debconf if available?

I updated the patch a bit so that if db_input is used before the read it won't
barf:

-     my $cat_string = "";
+     my $cat_string = "";
+     my $seen_debconf = 0;

-         if (m/^\s*read(?:\s|$)) {
-             tag "read-in-maintainer-script", "$file:$.";
-         }
+         if (m/db_input/) {
+             $seen_debconf = 1;
+         }
+         if (m/^\s*read(?:\s|$)/ && !$seen_debconf) {
+             tag "read-in-maintainer-script", "$file:$.";
+         }

Cheers

Luk

-- 
Luk Claes - http://people.debian.org/~luk - GPG key 1024D/9B7C328D
Fingerprint:   D5AF 25FB 316B 53BB 08E7   F999 E544 DE07 9B7C 328D

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#231770: lintian: Add checks for prompting in maintainerscripts
  - From: Russ Allbery <rra@debian.org>

References:
- Bug#231770: lintian: Add checks for prompting in maintainerscripts
  - From: Luk Claes <luk@debian.org>
- Bug#231770: lintian: Add checks for prompting in maintainerscripts
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Bug#399714: marked as done (ANSI color output (attached))
Next by Date: Bug#418217: lintian: Please check for identical, non-linked binaries.
Previous by thread: Bug#231770: lintian: Add checks for prompting in maintainerscripts
Next by thread: Bug#231770: lintian: Add checks for prompting in maintainerscripts
Index(es):
- Date
- Thread