Bug#697164: [new check] check for source packages with symlinks pointing outside
Hi Paul,
Thanks for the bug report.
* Paul Wise <pabs@debian.org>, 2013-01-02, 09:50:
dpkg-source is not able (#645157) to properly handle source packages
with relative/absolute symlinks that point outside of the package. It
would be good if lintian could detect this situation and give an error.
lintian should check both the orig.tar and the debian.tar. Since Debian
source packages need to be self-contained, this should be an autoreject
that cannot be overridden. If you need an example package, there is one
at the URLs below. I discovered it during my work on the Debian
derivatives census.
http://packages.bosslinux.in/boss/pool/savir/main/e/exe/exe_1.04.1.3602-boss1.dsc
http://people.debian.org/~pabs/tmp/exe_1.04.1.3602-boss1.dsc
Lintian already checks if debian/ directory itself is a symlink pointing
outside the source package:
$ lintian exe_1.04.1.3602-boss1.dsc
internal error: cannot resolve debian directory symlink in exe: No such file or directory at /usr/share/perl5/Lintian/Util.pm line 846.
warning: collect info debfiles about package exe failed
warning: skipping check of source package exe
As for banning all such symlinks, I'm not sure it's a good idea. I
happen to maintain a package which contains one (lintian4python), and I
think it's a valid use-case. Feel free to convince me otherwise, though.
:)
--
Jakub Wilk
Reply to: