[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#471537: check for repackaged .orig.tar.gz

package: lintian
severity: wishlist

It would be nice if lintian could warn against repackaged .orig.tar.gz,
and sources repackaged in non-recommended ways.

Attached is some patch that at least seems to be able to detect dh_make's
--creatorig usage properly. As both my English language skills and my perl
skills could be better, I'm not setting the patch tag.

Hochachtungsvoll,
	Bernhard R. Link

Index: checks/upstreamtar.desc
===================================================================
--- checks/upstreamtar.desc	(Revision 0)
+++ checks/upstreamtar.desc	(Revision 0)
@@ -0,0 +1,52 @@
+Check-Script: upstreamtar
+Author: Bernhard R. Link <brlink@debian.org>
+Type: source
+Unpack-Level: 2
+Info: This checks for a unadvertised upstream tar.
+Needs-Info: tarfilelist, debfiles, copyright-file
+Abbrev: tar
+
+Tag: repackaged-source-not-advertised
+Type: warning
+Info: The .orig.tar.gz file looks repackaged, but there was found not hint
+ about this in debian/copyright.
+ .
+ Repackaged upstream sources are sometimes created on accident when using
+ an old version of dh_make or using dh_make's --createorig without need.
+ .
+ If you repackaged the upstream source on purpose, please inform the
+ users in debian/copyright how and why. (This test looks for the phrase
+ "repackaged" there).
+ .
+ Legitimate reasons for repackaging are: Upstream not releasing a .tar
+ file; upstream's tarball contains non-DFSG-free material or upstream's
+ tarball is huge compared to the used parts.
+ .
+ You do not need to repackage only because upstream's tarball has the
+ no top-level directory (dpkg-source can handle that) or only bacause
+ upstream's tarball uses a different compression algorithm (you can
+ just uncompress and gzip without touching the tarball).
+ .
+ For futher reference see "Best practices for orig.tar.gz files" in the
+ developers' reference.
+ .
+ Note that an .orig.tar.gz already in the archive cannot be changed,
+ so the best way to deal with this when this is not the first upload
+ of this upstream version is to note in debian/copyright that it
+ was repackaged by mistake and that the contents are the same (or how
+ they differ).
+
+Tag: repackaged-source-without-get-orig-source
+Type: info
+Info: The .orig.tar.gz file looks repackaged, but there is no
+ get-orig-source target in debian/rules.
+ .
+ Repackaged upstream sources are sometimes created on accident when using
+ an old version of dh_make or using dh_make's --createorig without need.
+ .
+ For futher reference see "Best practices for orig.tar.gz files" in the
+ developers' reference.
+
+Tag: empty-upstream-source
+Type: error
+Info: The .orig.tar.gz file is empty.
Index: checks/upstreamtar
===================================================================
--- checks/upstreamtar	(Revision 0)
+++ checks/upstreamtar	(Revision 0)
@@ -0,0 +1,141 @@
+# upstreamtar -- lintian check script -*- perl -*-
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, you can find it on the World Wide
+# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+# MA 02110-1301, USA.
+
+package Lintian::upstreamtar;
+use strict;
+
+use Dep;
+use Tags;
+use Util;
+
+use Cwd;
+use File::Find;
+use File::Basename;
+
+my $pkg;
+
+sub run {
+
+	$pkg = shift;
+	my $type = shift;
+
+	open (VERSION, '<', "fields/version")
+		or fail("cannot open fields/version: $!");
+	chomp(my $version = <VERSION>);
+	close VERSION;
+
+	(@_ = _valid_version($version)) or exit 0;
+	my ($epoch, $upstream, $debian) = @_;
+
+	unless (defined $debian) {return 1};
+
+# TODO: try to extract guess upstream version to see if anything
+# like ds dfsg was added and warn if .orig.tar does not contain a
+# package.orig directory then later.
+
+	my $repackaged = check_repackaged($pkg, $upstream);
+
+	unless( defined($repackaged) ) {
+		return 1;
+	}
+
+# check contents of copyright file
+
+	if ($repackaged && read_copyright_file() !~ m,repackaged,) {
+		tag "repackaged-source-not-advertised";
+	}
+
+	if (-l "debfiles/rules") {
+		return 1 unless -f "debfiles/rules";
+	}
+
+	my $has_get_orig_source = check_get_orig_source();
+
+	if ($repackaged && !$has_get_orig_source ) {
+		tag "repackaged-source-without-get-orig-source";
+	}
+
+	return 1;
+} # </run>
+
+# -----------------------------------
+
+sub read_copyright_file {
+	open(IN, '<', "debfiles/copyright") or fail("cannot open copyright file copyright: $!");
+# gulp whole file
+	local $/ = undef;
+	$_ = <IN>;
+	close(IN);
+	return $_;
+}
+
+sub check_get_orig_source {
+	open(IN, '<', 'debfiles/rules') or fail("Failed opening rules: $!");
+	while( <IN> ) {
+		if (/^get-orig-source:/) {
+			return 1;
+		}
+		# Assume get-orig-source is in some included file, if it is
+		# marked as phony
+		if (/^.PHONY: .* get-orig-source\b/) {
+			return 1;
+		}
+	}
+	close(IN);
+	return 0;
+}
+
+# Check if the .orig.tar.gz contaisn 
+sub check_repackaged {
+	my ($pkg, $upstream) = @_;
+	my $repackaged = undef;
+
+	open(LIST, '<', "tarfilelist") or return undef;
+	local $_;
+	while (<LIST>) {
+		s,^\./,,;
+		next if /^$/;
+		if ($_ =~ m(^$pkg[^/]*\.orig/)) {
+			$repackaged = 1;
+		} else {
+			$repackaged = 0;
+		}
+		last;
+	}
+	close(LIST) or fail("error reading tarfilelist file: $!");
+	unless (defined($repackaged)) {
+		tag "empty-upstream-source";
+	}
+	return $repackaged;
+}
+
+sub _valid_version {
+	my $ver = shift;
+
+# epoch check means nothing here... This check is only useful to detect
+# weird characters in version (and to get the debian revision)
+	if ($ver =~ m/^(\d+:)?([-\.+:~A-Z0-9]+?)(-[\.+~A-Z0-9]+)?$/i) {
+		return ($1, $2, $3);
+	} else {
+		return ();
+	}
+}
+
+
+1;
+# vim: syntax=perl sw=4 ts=4 noet shiftround
Index: collection/tarfilelist
===================================================================
--- collection/tarfilelist	(Revision 0)
+++ collection/tarfilelist	(Revision 0)
@@ -0,0 +1,85 @@
+#!/usr/bin/perl -w
+# tarfilelist -- lintian collection script for source packages
+
+# Copyright (C) 2008 Bernhard R. Link
+# based on diffstat, which is:
+# Copyright (C) 1998 Richard Braakman
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, you can find it on the World Wide
+# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+# MA 02110-1301, USA.
+
+use strict;
+
+my $LINTIAN_ROOT = $ENV{'LINTIAN_ROOT'} || '/usr/share/lintian';
+
+($#ARGV == 1) or fail("syntax: tarfilelist <pkg>");
+my $pkg = shift;
+
+-f "fields/version" or fail("tarfilelist invoked in wrong directory");
+
+open (V, '<', "fields/version") or fail("cannot open fields/version: $!");
+my $ver = <V>; chomp $ver;
+close V;
+
+(@_ = _valid_version($ver)) or exit 0;
+my ($epoch, $upstream, $debian) = @_;
+unless (defined($debian)) {
+       exit 0
+}
+
+my $tar_file = "${pkg}_${upstream}.orig.tar.gz";
+unless (-f $tar_file ) {
+	$tar_file = "${pkg}_${upstream}.orig.tar.bz2";
+}
+unless (-f $tar_file ) {
+	$tar_file = "${pkg}_${upstream}.orig.tar.lzma";
+}
+unless (-f $tar_file) {
+	exit 0;
+}
+
+use lib "$ENV{'LINTIAN_ROOT'}/lib";
+use Pipeline;
+pipeline((sub { exec('tar', '-tf', $tar_file); }),
+         "tarfilelist"
+        );
+
+exit 0;
+
+# -----------------------------------
+
+sub fail {
+    if ($_[0]) {
+        print STDERR "internal error: $_[0]\n";
+    } elsif ($!) {
+        print STDERR "internal error: $!\n";
+    } else {
+        print STDERR "internal error.\n";
+    }
+    exit 1;
+}
+
+sub _valid_version {
+	my $ver = shift;
+
+	# epoch check means nothing here... This check is only useful to detect
+	# weird characters in version (and to get the debian revision)
+	if ($ver =~ m/^(\d+:)?([-\.+:~A-Z0-9]+?)(-[\.+~A-Z0-9]+)?$/i) {
+		return ($1, $2, $3);
+	} else {
+		return ();
+	}
+}

Eigenschaftsänderungen: collection/tarfilelist
___________________________________________________________________
Name: svn:executable
   + *

Index: collection/tarfilelist.desc
===================================================================
--- collection/tarfilelist.desc	(Revision 0)
+++ collection/tarfilelist.desc	(Revision 0)
@@ -0,0 +1,7 @@
+Collector-Script: tarfilelist
+Author: Bernhard R. Link <brlink@debian.org>
+Info: Generate a list of files in the .orig.tar.gz
+Type: source
+Unpack-Level: 1
+Output: tarfilelist
+Order: 1
Reply to: