--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: lintian: Add checker for timestamped gzip files
- From: Tomasz Buchert <tomasz.buchert@inria.fr>
- Date: Tue, 11 Feb 2014 00:56:05 +0100
- Message-id: <20140210235605.7034.54467.reportbug@noether>
Package: lintian
Version: 2.5.21
Severity: wishlist
Dear Maintainer,
There is an ongoing project to build reproducible deps
(see https://wiki.debian.org/ReproducibleBuilds). One of tasks
is to update lintian to emit a tag on gzips that contain timestamps.
I've written a simple checker that does exactly that and emits
"package-contains-timestamped-gzip". The patch is attached.
Please note that I'm no perl programmer and it is my first prospective
lintian contribution.
Cheers,
Tomasz
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages lintian depends on:
ii binutils 2.24-3
ii bzip2 1.0.6-5
ii diffstat 1.58-1
ii file 1:5.14-2
ii gettext 0.18.3.2-1
ii hardening-includes 2.5
ii intltool-debian 0.35.0+20060710.1
ii libapt-pkg-perl 0.1.29+b1
ii libarchive-zip-perl 1.30-7
ii libclass-accessor-perl 0.34-1
ii libclone-perl 0.36-1
ii libdpkg-perl 1.17.6
ii libemail-valid-perl 1.192-1
ii libfile-basedir-perl 0.03-1
ii libipc-run-perl 0.92-1
ii liblist-moreutils-perl 0.33-1+b2
ii libparse-debianchangelog-perl 1.2.0-1
ii libtext-levenshtein-perl 0.06~01-2
ii libtimedate-perl 2.3000-1
ii liburi-perl 1.60-1
ii man-db 2.6.6-1
ii patchutils 0.3.2-3
ii perl [libdigest-sha-perl] 5.18.2-2
ii t1utils 1.37-2
Versions of packages lintian recommends:
pn libperlio-gzip-perl <none>
ii perl-modules [libautodie-perl] 5.18.2-2
Versions of packages lintian suggests:
pn binutils-multiarch <none>
ii dpkg-dev 1.17.6
ii libhtml-parser-perl 3.71-1+b1
ii libtext-template-perl 1.46-1
ii libyaml-perl 0.84-1
ii xz-utils 5.1.1alpha+20120614-2
-- no debconf information
>From f389948be4631df98cbf1a140857a541b76ffe77 Mon Sep 17 00:00:00 2001
From: Tomasz Buchert <tomasz.buchert@inria.fr>
Date: Mon, 10 Feb 2014 23:53:37 +0100
Subject: [PATCH] added reproducibility checker
---
checks/reproducibility.desc | 13 ++++++
checks/reproducibility.pm | 51 +++++++++++++++++++++
t/tests/reproducibility/debian/debian/control.in | 17 +++++++
.../debian/debian/unreproducible-pkg.install | 1 +
t/tests/reproducibility/debian/file | 1 +
.../reproducibility/debian/file-with-timestamp.gz | Bin 0 -> 39 bytes
.../debian/file-without-timestamp.gz | Bin 0 -> 34 bytes
t/tests/reproducibility/debian/prepare | 4 ++
t/tests/reproducibility/desc | 6 +++
t/tests/reproducibility/tags | 1 +
10 files changed, 94 insertions(+)
create mode 100644 checks/reproducibility.desc
create mode 100644 checks/reproducibility.pm
create mode 100644 t/tests/reproducibility/debian/debian/control.in
create mode 100644 t/tests/reproducibility/debian/debian/unreproducible-pkg.install
create mode 100644 t/tests/reproducibility/debian/file
create mode 100644 t/tests/reproducibility/debian/file-with-timestamp.gz
create mode 100644 t/tests/reproducibility/debian/file-without-timestamp.gz
create mode 100755 t/tests/reproducibility/debian/prepare
create mode 100644 t/tests/reproducibility/desc
create mode 100644 t/tests/reproducibility/tags
diff --git a/checks/reproducibility.desc b/checks/reproducibility.desc
new file mode 100644
index 0000000..26f390a
--- /dev/null
+++ b/checks/reproducibility.desc
@@ -0,0 +1,13 @@
+Check-Script: reproducibility
+Author: Tomasz Buchert <tomasz.buchert@inria.fr>
+Abbrev: repro
+Type: binary, udeb
+Needs-Info: index
+Info: This script checks packages for unreproducible elements.
+
+Tag: package-contains-timestamped-gzip
+Severity: normal
+Certainty: certain
+Info: The package contains a gzip'ed file that
+ has timestamps. Such files make the produced
+ packages unreproducible.
diff --git a/checks/reproducibility.pm b/checks/reproducibility.pm
new file mode 100644
index 0000000..59c13d9
--- /dev/null
+++ b/checks/reproducibility.pm
@@ -0,0 +1,51 @@
+# reproducibility -- lintian check script -*- perl -*-
+#
+# Copyright (C) 2014 Tomasz Buchert
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, you can find it on the World Wide
+# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+# MA 02110-1301, USA.
+
+package Lintian::reproducibility;
+use strict;
+use warnings;
+use autodie;
+
+use Lintian::Tags qw(tag);
+
+sub run {
+ my ($pkg, undef, $info, $proc, $group) = @_;
+
+ foreach my $file ($info->sorted_index) {
+ next unless ($file->is_file);
+ my $finfo = $info->file_info($file);
+
+ if ($finfo =~ /^gzip compressed data/) {
+ if ($finfo =~ /last modified/) {
+ tag 'package-contains-timestamped-gzip', $file;
+ }
+ }
+ }
+
+ return;
+}
+
+1;
+
+# Local Variables:
+# indent-tabs-mode: nil
+# cperl-indent-level: 4
+# End:
+# vim: syntax=perl sw=4 sts=4 sr et
diff --git a/t/tests/reproducibility/debian/debian/control.in b/t/tests/reproducibility/debian/debian/control.in
new file mode 100644
index 0000000..a7e8050
--- /dev/null
+++ b/t/tests/reproducibility/debian/debian/control.in
@@ -0,0 +1,17 @@
+Source: {$source}
+Priority: extra
+Section: devel
+Maintainer: {$author}
+Standards-Version: {$standards_version}
+Build-Depends: debhelper (>= 9)
+
+Package: unreproducible-pkg
+Architecture: all
+Depends: $\{misc:Depends\}
+Description: {$description} - gzip files
+ This is a test package designed to exercise some feature or tag of
+ Lintian. It is part of the Lintian test suite and may do very odd
+ things. It should not be installed like a regular package. It may
+ be an empty package.
+ .
+ Contains a few GZIP files.
diff --git a/t/tests/reproducibility/debian/debian/unreproducible-pkg.install b/t/tests/reproducibility/debian/debian/unreproducible-pkg.install
new file mode 100644
index 0000000..15b72c1
--- /dev/null
+++ b/t/tests/reproducibility/debian/debian/unreproducible-pkg.install
@@ -0,0 +1 @@
+*.gz usr/share/pkg-with-gzips/
diff --git a/t/tests/reproducibility/debian/file b/t/tests/reproducibility/debian/file
new file mode 100644
index 0000000..96bc543
--- /dev/null
+++ b/t/tests/reproducibility/debian/file
@@ -0,0 +1 @@
+This is a text.
diff --git a/t/tests/reproducibility/debian/file-with-timestamp.gz b/t/tests/reproducibility/debian/file-with-timestamp.gz
new file mode 100644
index 0000000000000000000000000000000000000000..3d4e78818ffafb9ad11f313d0c7a7abbfde1d697
GIT binary patch
literal 39
vcmb2|=HTd#{u#u;oR*oB%D{c{giaX4BA3=lSGt63^%#WmPkj(zU|;|M2G$JF
literal 0
HcmV?d00001
diff --git a/t/tests/reproducibility/debian/file-without-timestamp.gz b/t/tests/reproducibility/debian/file-without-timestamp.gz
new file mode 100644
index 0000000000000000000000000000000000000000..0dbd7dd9a0aa228b8af804b0fc8c304ffa6fcfd1
GIT binary patch
literal 34
lcmb2|=3oE=X6}<Gbix=GxwKBY(j{c8#~_q{>Vp7K3IL1w2=@R0
literal 0
HcmV?d00001
diff --git a/t/tests/reproducibility/debian/prepare b/t/tests/reproducibility/debian/prepare
new file mode 100755
index 0000000..a0feb41
--- /dev/null
+++ b/t/tests/reproducibility/debian/prepare
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+gzip file -c > file-with-timestamp.gz
+gzip file -nc > file-without-timestamp.gz
diff --git a/t/tests/reproducibility/desc b/t/tests/reproducibility/desc
new file mode 100644
index 0000000..f0e18bd
--- /dev/null
+++ b/t/tests/reproducibility/desc
@@ -0,0 +1,6 @@
+Testname: reproducibility
+Sequence: 6000
+Version: 1.0
+Description: Test if package is reproducible
+Test-For:
+ package-contains-timestamped-gzip
diff --git a/t/tests/reproducibility/tags b/t/tests/reproducibility/tags
new file mode 100644
index 0000000..3afb943
--- /dev/null
+++ b/t/tests/reproducibility/tags
@@ -0,0 +1 @@
+W: unreproducible-pkg: package-contains-timestamped-gzip usr/share/pkg-with-gzips/file-with-timestamp.gz
--
1.8.5.3
--- End Message ---
--- Begin Message ---
Source: lintian
Source-Version: 2.5.26
We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 738591@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated lintian package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 06 Sep 2014 10:44:36 +0200
Source: lintian
Binary: lintian
Architecture: source all
Version: 2.5.26
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Niels Thykier <niels@thykier.net>
Description:
lintian - Debian package checker
Closes: 656801 732225 733659 733733 738591 740161 747248 748452 748688 752540 754738 755266 755275 755902 756301 756643 756940 757383 757398 757551 757583 757615 757802 757921 758236 758891 759726
Changes:
lintian (2.5.26) unstable; urgency=medium
.
* Summary of tag changes:
+ Added:
- backports-changes-missing
- backports-upload-has-incorrect-version-number
- debian-upstream-obsolete-path
- description-is-pkg-name
- description-too-short
- desktop-mime-but-no-exec-code
- empty-short-license-in-dep5-copyright
- file-without-copyright-information
- invalid-escape-sequence-in-dep5-copyright
- invalid-short-name-in-dep5-copyright
- license-problem-bad-php-license
- license-problem-php-license
- license-problem-undefined-license
- no-dep5-copyright
- package-contains-timestamped-gzip
- pipe-symbol-used-as-license-disjunction
- privacy-breach-may-use-debian-package
- source-contains-autogenerated-visual-c++-file
- space-in-std-shortname-in-dep5-copyright
- unused-file-paragraph-in-dep5-copyright
- wildcard-matches-nothing-in-dep5-copyright
+ Removed:
- copyright-refers-to-bad-php-license
- copyright-refers-to-problematic-php-license
.
* checks/binaries.{desc,pm}:
+ [NT] Apply patch from Damyan Ivanov to handle the new
Perl5 library path location.
* checks/changes-file.{desc,pm}:
+ [BR] Add patch from Ivo De Decker, add check for
backports changes file. (Closes: #732225).
+ [BR] Apply patch from Tomasz Bucher, add check for
for timestamped gzip files. (Closes: #738591).
* checks/cruft.{desc,pm}:
+ [BR] Use license checking framework for checking php license.
(Closes: #752540).
+ [BR] Add a pedantic tag for autogenerated file made by Visual
C++.
+ [BR] Fix another false positive for gfdl invariants in
php-elisp, doc-linux-fr and in clisp.
+ [BR] Detect old path for upstream metadata.
* checks/description.{desc,pm}:
+ [SL] Check for one word short description. (Closes: #756643).
+ [SL] Check if the short description is the same as the
package name. (Closes: #757398).
* checks/fields.pm:
+ [NT] Apply patch from Salvatore Bonaccorso to recommend the
new cgit URLs for anonscm.debian.org over the webgit URLs.
(Closes: #756940)
* checks/files.pm:
+ [BR] Fix false positive in detection of cross arch pkgconfig.
(Closes: #755902).
+ [BR] Detect privacy breach fixable by using existing debian
package.
+ [BR] Whitelist <link rel="generator-home"...> in privacy breach
checker.
+ [NT] Apply patch from Damyan Ivanov to handle the new
Perl5 library path location. (Closes: #757921)
* checks/init.d.pm:
+ [NT] Allow usage of /lib/init/init-d-scripts as alternative to
implementing init.d targets in the script itself. Thanks to
Yaroslav Halchenko for the report. (Closes: #758236)
* checks/menu-format.pm:
+ [BR] Add new desktop keys files. Move key list to data.
(Closes: #755266).
+ [NT] Apply patch from Niklas Fiekas to check for desktop files
with MimeType-field but no format code in the Exec-field.
(Closes: #757383)
* checks/phppear.pm:
+ [BR] Fix a false positive for
missing-pkg-php-tools-addon phpcomposer, thanks to
David Prévot (Closes: #754738).
* checks/source-copyright.{desc,pm}:
+ [BR] Add a pedantic warning about non dep-5 debian/copyright.
+ [BR] Detect empty required fields. (Closes: #748452, #656801).
+ [BR] Detect undefined license. (Closes: #733659).
+ [BR] Apply patch from Johannes Schauer in order
to warn if the pipe symbol is used in license.
(Closes: #757583).
+ [BR] Apply patch from Johannes Schauer in order to
check if DEP-5 debian/copyright covers all files
in the unpacked sources. (Closes: #757551).
+ [BR] Detect bad short name and space in license.
Thanks to Clint Adams and Johannes Schauer.
(Closes: #747248, #757615).
+ [BR] Avoid to raise file-without-copyright-information
for .pc directory.
* checks/systemd.pm:
+ [NT] Allow usage of /lib/init/init-d-scripts as alternative to
sourcing /lib/lsb/init-functions.
* checks/testsuite.desc:
+ [BR] Update ref url. (Closes: #755275).
.
* data:
+ [NT] Refresh several data files against sid.
* data/cruft/gfdl-license-fragments-checks:
+ [BR] Add tla false positive for gfdl license text.
* data/cruft/non-distributable-files:
+ [BR] Detect play boy Lenna test image.
* data/cruft/non-free-files:
+ [BR] Add non free icc profile HP5000_UVDuraImageGlossMaxQ.icc
from nips2 package.
* data/cruft/warn-file-type:
+ [BR] Add debug source suffix for detecting javascript
source-is-missing and improve test suite. Fix a
false postive in mono and in jenkin.
* data/debhelper/dh_commands:
+ [BR] Add patch from Piotr Ożarowski, dh-python2
moved to dh-python package (Closes: #740161).
* data/debhelper/dh_commands-manual:
+ [JW] Add dh_apache2 relations to avoid a false-positive.
Thanks to Axel Beckert for reporting the issue.
(Closes: #748688)
+ [NT] Add ":any" to all python related dependencies. Thanks
to Matthias Klose for reporting the issue. (Closes: #733733)
* data/debhelper/*:
+ [NT] Refresh against sid. Thanks to Christian Marillat for
reporting the out of date data. (Closes: #758891)
* data/fields/obsolete-packages:
+ [NT] Add ruby1.9.1, ruby1.9.1-dev and libruby1.9.1 per
request of the Ruby team.
* data/files/js-libraries:
+ [BR] Apply patch from Paul Wise for detection of
libjs-excanvas.
* data/files/privacy-breaker-website:
+ [BR] Improve detection of sourceforge logos.
+ [BR] Detect libjs-jquery use.
+ [BR] Detect libjs-mathjax use.
+ [BR] Add count.digitalpoint.com to statistics website.
+ [BR] Add xoom.com to privacy-breach-donation (used by
freesci-doc package).
+ [BR] Detect libjs-jquery-ui use.
+ [BR] Detect pledgie.com as a donation website.
* data/source-copyright/bad-short-licenses:
+ [BR] Add unspecified and - as bad license.
+ [BR] Detect some invalid short name. Thanks to
Johannes Schauer.
.
* debian/control:
+ [NT] Update recommendation on libautodie-perl to
include perl 5.20 as alternative.
* debian/rules:
+ [NT] Gracefully handle the case where there are no
translations of tag descriptions.
.
* doc/tutorial/Lintian/Tutorial/WritingChecks.pod:
+ [NT] Correct tutorial now that the "index" collection
is gone.
.
* lib/Lintian/Internal/FrontendUtil.pm:
+ [NT] Ignore set, but empty locale environment variables.
Thanks to Michael Prokop for the report. (Closes: #759726)
.
* reporting/{config,html_reports}:
+ [NT] Add support for copying the documentation rather than
symlinking to it. Thanks to Nicolas Sévelin-Radiguet for
reporting the issue. (Closes: #756301)
.
* t:
+ [BR] Fix FTBFS on !amd64. (Closes: #757802).
Checksums-Sha1:
90be50aac7bd5dff45eb6f5b8b1b7d6b592f4290 2693 lintian_2.5.26.dsc
c868df00b7ea16e145e9b04b8c417ce186d7b44c 1189732 lintian_2.5.26.tar.xz
03381cf42984ceebd5867d9b1ccfe9ad39f3bfb7 775004 lintian_2.5.26_all.deb
Checksums-Sha256:
ff342639f09b326fe34c4b3b639caa7c68a290a30e0a2f9434597bf6c7666c23 2693 lintian_2.5.26.dsc
e185208806208cec697dd5e87851fec1d88068535a9cf06deeb495fb9aea7479 1189732 lintian_2.5.26.tar.xz
38a36fdc5188932709996ae448acad61bbcd19eefd71146459e0cb67182c8c64 775004 lintian_2.5.26_all.deb
Files:
7ea61e6c141165047f503ce4955c1e0d 775004 devel optional lintian_2.5.26_all.deb
cf00cc6f638aa3d507919ff0dd938d7d 2693 devel optional lintian_2.5.26.dsc
8daac770fd6eb31cdd42c4e16230b3d6 1189732 devel optional lintian_2.5.26.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUCs0zAAoJEAVLu599gGRCcWoP/2BoVKzYTXiwdbRKPpOTj/DW
IglmLolYEY6aMERzLL7Aldnrz6e+67idytVo1N+RfY0HE82aAgLozcsAyjtUWpyv
yNCfMIk4vDFtcXyUeJA5GnfkpuUK6nsnK6NzzHfRUDNphEvg5AJrJw5t/8FINIh9
8gma0IP1pPzW61MSM2RMCml7X42oTnSMwaG63asQVIHyDE7O+8m9ncm54INcGJG0
bfF/bRuzd5fAWy83RIm1BanK0ZQpifiT4mUQbYodRlsmogsO9XL6kRFPj9q7xof6
5wixnpFS/9l3YE36fOLP9o/Nx5M+uEDNlWdbwBy7fNCUjeH5HTtjscUt7sOWW73k
OELfcpzsgTKKCzTgN/ppg12gufjWIzfefM+q7KbVZNCxtrdTozPII4K+Oi7ChP2b
+i5iYcL74OjibF/xplE2+qTwDDcKiTpjLORYf2NwBIexJD/FZ+XCQd6zlYJ7mbml
CJEtjnuZgnVOuD+Oo+DyCHGpZeRWi3PxhtEwMb0K5ntbbXPkXobyk8JhBdyyqOhJ
fgJibNSeZqRmViboR4o5tVDOO4qPMRSn3Wb28Coxug6hfPjv/23YRx9rVuUs7wAy
aO+VdOjVAst0PdIV2294/daG4BdcWl3SHNgLjpoAw246W6iNKU9psl8gNSTPwqUY
P4Bnlgn8QVv0boOkDL3K
=xFe5
-----END PGP SIGNATURE-----
--- End Message ---