Bug#471537: check for repackaged .orig.tar.gz
package: lintian
severity: wishlist
It would be nice if lintian could warn against repackaged .orig.tar.gz,
and sources repackaged in non-recommended ways.
Attached is some patch that at least seems to be able to detect dh_make's
--creatorig usage properly. As both my English language skills and my perl
skills could be better, I'm not setting the patch tag.
Hochachtungsvoll,
Bernhard R. Link
Index: checks/upstreamtar.desc
===================================================================
--- checks/upstreamtar.desc (Revision 0)
+++ checks/upstreamtar.desc (Revision 0)
@@ -0,0 +1,52 @@
+Check-Script: upstreamtar
+Author: Bernhard R. Link <brlink@debian.org>
+Type: source
+Unpack-Level: 2
+Info: This checks for a unadvertised upstream tar.
+Needs-Info: tarfilelist, debfiles, copyright-file
+Abbrev: tar
+
+Tag: repackaged-source-not-advertised
+Type: warning
+Info: The .orig.tar.gz file looks repackaged, but there was found not hint
+ about this in debian/copyright.
+ .
+ Repackaged upstream sources are sometimes created on accident when using
+ an old version of dh_make or using dh_make's --createorig without need.
+ .
+ If you repackaged the upstream source on purpose, please inform the
+ users in debian/copyright how and why. (This test looks for the phrase
+ "repackaged" there).
+ .
+ Legitimate reasons for repackaging are: Upstream not releasing a .tar
+ file; upstream's tarball contains non-DFSG-free material or upstream's
+ tarball is huge compared to the used parts.
+ .
+ You do not need to repackage only because upstream's tarball has the
+ no top-level directory (dpkg-source can handle that) or only bacause
+ upstream's tarball uses a different compression algorithm (you can
+ just uncompress and gzip without touching the tarball).
+ .
+ For futher reference see "Best practices for orig.tar.gz files" in the
+ developers' reference.
+ .
+ Note that an .orig.tar.gz already in the archive cannot be changed,
+ so the best way to deal with this when this is not the first upload
+ of this upstream version is to note in debian/copyright that it
+ was repackaged by mistake and that the contents are the same (or how
+ they differ).
+
+Tag: repackaged-source-without-get-orig-source
+Type: info
+Info: The .orig.tar.gz file looks repackaged, but there is no
+ get-orig-source target in debian/rules.
+ .
+ Repackaged upstream sources are sometimes created on accident when using
+ an old version of dh_make or using dh_make's --createorig without need.
+ .
+ For futher reference see "Best practices for orig.tar.gz files" in the
+ developers' reference.
+
+Tag: empty-upstream-source
+Type: error
+Info: The .orig.tar.gz file is empty.
Index: checks/upstreamtar
===================================================================
--- checks/upstreamtar (Revision 0)
+++ checks/upstreamtar (Revision 0)
@@ -0,0 +1,141 @@
+# upstreamtar -- lintian check script -*- perl -*-
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, you can find it on the World Wide
+# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+# MA 02110-1301, USA.
+
+package Lintian::upstreamtar;
+use strict;
+
+use Dep;
+use Tags;
+use Util;
+
+use Cwd;
+use File::Find;
+use File::Basename;
+
+my $pkg;
+
+sub run {
+
+ $pkg = shift;
+ my $type = shift;
+
+ open (VERSION, '<', "fields/version")
+ or fail("cannot open fields/version: $!");
+ chomp(my $version = <VERSION>);
+ close VERSION;
+
+ (@_ = _valid_version($version)) or exit 0;
+ my ($epoch, $upstream, $debian) = @_;
+
+ unless (defined $debian) {return 1};
+
+# TODO: try to extract guess upstream version to see if anything
+# like ds dfsg was added and warn if .orig.tar does not contain a
+# package.orig directory then later.
+
+ my $repackaged = check_repackaged($pkg, $upstream);
+
+ unless( defined($repackaged) ) {
+ return 1;
+ }
+
+# check contents of copyright file
+
+ if ($repackaged && read_copyright_file() !~ m,repackaged,) {
+ tag "repackaged-source-not-advertised";
+ }
+
+ if (-l "debfiles/rules") {
+ return 1 unless -f "debfiles/rules";
+ }
+
+ my $has_get_orig_source = check_get_orig_source();
+
+ if ($repackaged && !$has_get_orig_source ) {
+ tag "repackaged-source-without-get-orig-source";
+ }
+
+ return 1;
+} # </run>
+
+# -----------------------------------
+
+sub read_copyright_file {
+ open(IN, '<', "debfiles/copyright") or fail("cannot open copyright file copyright: $!");
+# gulp whole file
+ local $/ = undef;
+ $_ = <IN>;
+ close(IN);
+ return $_;
+}
+
+sub check_get_orig_source {
+ open(IN, '<', 'debfiles/rules') or fail("Failed opening rules: $!");
+ while( <IN> ) {
+ if (/^get-orig-source:/) {
+ return 1;
+ }
+ # Assume get-orig-source is in some included file, if it is
+ # marked as phony
+ if (/^.PHONY: .* get-orig-source\b/) {
+ return 1;
+ }
+ }
+ close(IN);
+ return 0;
+}
+
+# Check if the .orig.tar.gz contaisn
+sub check_repackaged {
+ my ($pkg, $upstream) = @_;
+ my $repackaged = undef;
+
+ open(LIST, '<', "tarfilelist") or return undef;
+ local $_;
+ while (<LIST>) {
+ s,^\./,,;
+ next if /^$/;
+ if ($_ =~ m(^$pkg[^/]*\.orig/)) {
+ $repackaged = 1;
+ } else {
+ $repackaged = 0;
+ }
+ last;
+ }
+ close(LIST) or fail("error reading tarfilelist file: $!");
+ unless (defined($repackaged)) {
+ tag "empty-upstream-source";
+ }
+ return $repackaged;
+}
+
+sub _valid_version {
+ my $ver = shift;
+
+# epoch check means nothing here... This check is only useful to detect
+# weird characters in version (and to get the debian revision)
+ if ($ver =~ m/^(\d+:)?([-\.+:~A-Z0-9]+?)(-[\.+~A-Z0-9]+)?$/i) {
+ return ($1, $2, $3);
+ } else {
+ return ();
+ }
+}
+
+
+1;
+# vim: syntax=perl sw=4 ts=4 noet shiftround
Index: collection/tarfilelist
===================================================================
--- collection/tarfilelist (Revision 0)
+++ collection/tarfilelist (Revision 0)
@@ -0,0 +1,85 @@
+#!/usr/bin/perl -w
+# tarfilelist -- lintian collection script for source packages
+
+# Copyright (C) 2008 Bernhard R. Link
+# based on diffstat, which is:
+# Copyright (C) 1998 Richard Braakman
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, you can find it on the World Wide
+# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+# MA 02110-1301, USA.
+
+use strict;
+
+my $LINTIAN_ROOT = $ENV{'LINTIAN_ROOT'} || '/usr/share/lintian';
+
+($#ARGV == 1) or fail("syntax: tarfilelist <pkg>");
+my $pkg = shift;
+
+-f "fields/version" or fail("tarfilelist invoked in wrong directory");
+
+open (V, '<', "fields/version") or fail("cannot open fields/version: $!");
+my $ver = <V>; chomp $ver;
+close V;
+
+(@_ = _valid_version($ver)) or exit 0;
+my ($epoch, $upstream, $debian) = @_;
+unless (defined($debian)) {
+ exit 0
+}
+
+my $tar_file = "${pkg}_${upstream}.orig.tar.gz";
+unless (-f $tar_file ) {
+ $tar_file = "${pkg}_${upstream}.orig.tar.bz2";
+}
+unless (-f $tar_file ) {
+ $tar_file = "${pkg}_${upstream}.orig.tar.lzma";
+}
+unless (-f $tar_file) {
+ exit 0;
+}
+
+use lib "$ENV{'LINTIAN_ROOT'}/lib";
+use Pipeline;
+pipeline((sub { exec('tar', '-tf', $tar_file); }),
+ "tarfilelist"
+ );
+
+exit 0;
+
+# -----------------------------------
+
+sub fail {
+ if ($_[0]) {
+ print STDERR "internal error: $_[0]\n";
+ } elsif ($!) {
+ print STDERR "internal error: $!\n";
+ } else {
+ print STDERR "internal error.\n";
+ }
+ exit 1;
+}
+
+sub _valid_version {
+ my $ver = shift;
+
+ # epoch check means nothing here... This check is only useful to detect
+ # weird characters in version (and to get the debian revision)
+ if ($ver =~ m/^(\d+:)?([-\.+:~A-Z0-9]+?)(-[\.+~A-Z0-9]+)?$/i) {
+ return ($1, $2, $3);
+ } else {
+ return ();
+ }
+}
Eigenschaftsänderungen: collection/tarfilelist
___________________________________________________________________
Name: svn:executable
+ *
Index: collection/tarfilelist.desc
===================================================================
--- collection/tarfilelist.desc (Revision 0)
+++ collection/tarfilelist.desc (Revision 0)
@@ -0,0 +1,7 @@
+Collector-Script: tarfilelist
+Author: Bernhard R. Link <brlink@debian.org>
+Info: Generate a list of files in the .orig.tar.gz
+Type: source
+Unpack-Level: 1
+Output: tarfilelist
+Order: 1
Reply to: