The Lintian 2.5.2 release and starting on 2.5.3
Hi
Table of contents :)
- The 2.5.2 upload
- Bits from the Lintian Maintainers
- Goals for 2.5.3
The 2.5.2 upload
================
As you probably have noticed; I uploaded Lintian 2.5.2. As you may also
have noticed; there was a minor security issue in Lintian 2.4.3 and
2.5.1, caused by lintian following symlinks it should not have followed.
I have already (silently) fixed lintian.debian.org and provided all
known "lintian.d.o"-like instances with patches. I know some of you are
already aware of this, but for the sake of transparency, I am
mentioning/repeating it here.
Furthermore I have requested a stable upload for 2.4.3, since the
security team was not interested in a security upload[1], and Tolimar
told me he was planning to do the squeeze-backport of 2.5.2 tomorrow.
To avoid this kind of security issues like this in the future, I suggest
we do a level of "indirection" when accessing actual files in the
package. There is a standing "TODO" to make the
Lintian::Collect[::$type]::index-like methods return an object.
The exact design is still a bit fuzzy, but the idea would be to use
index to obtain an Lintian::Path object. Via this object, the check
could request the underlying file/dir. The object can then validate
whether the file it is pointing to is "sane" and choke if not.
If this properly, we look at a worst case scenario being Lintian
stopping half-way though the processing with an error rather than
disclosing info about the host system.
[1] I spoke to them at DebConf11 and also got it in a private email.
Bits from the Lintian Maintainers
=================================
Last time we did one of those, was when we broke a lot of overrides. I
think it might be a good time to do new one now, especially considering
some of the new features we have picked up since.
I will try to prepare a draft one of the following days. Feel free to
suggest topics we should cover, else it will consist entirely of what I
can think of.
Goals for 2.5.3
===============
I gather a list of things I would like to see in the coming Lintian
release. Once again, feel free to suggest other things:
- Check for obsolete perl modules #636994
- they need this "soon" if it is to be useful to them
- Make ancient-standards-version check deterministic
- (e.g. no use of time())
- Make a lintian-harness frontend
- I heard Ubuntu is interested in doing an lintian.u.com, so
perhaps we can use this opportunity to make a proper tool
out of reporting/*
- this implies making the html output easily "re-brandable"
(not sure of the state here).
- Write a "README.developers" to help potential contributors.
- The Lintian::Path Class/Object (see "The 2.5.2 upload")
- Vendor profiles improvements:
- tell when we ignore overrides (for non-overridable tags)
- check profiles for unknown fields (catches typoes in fields)
- finally get rid of unpack/
- we are down to list-binpkg and list-srcpkg.
~Niels
Reply to: