Bug#738591: lintian: Add checker for timestamped gzip files

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#738591: lintian: Add checker for timestamped gzip files
From: Tomasz Buchert <tomasz.buchert@inria.fr>
Date: Tue, 11 Feb 2014 00:56:05 +0100
Message-id: <[🔎] 20140210235605.7034.54467.reportbug@noether>
Reply-to: Tomasz Buchert <tomasz.buchert@inria.fr>, 738591@bugs.debian.org

Package: lintian
Version: 2.5.21
Severity: wishlist

Dear Maintainer,

There is an ongoing project to build reproducible deps
(see https://wiki.debian.org/ReproducibleBuilds). One of tasks
is to update lintian to emit a tag on gzips that contain timestamps.
I've written a simple checker that does exactly that and emits
"package-contains-timestamped-gzip". The patch is attached.

Please note that I'm no perl programmer and it is my first prospective
lintian contribution.

Cheers,
Tomasz



-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages lintian depends on:
ii  binutils                       2.24-3
ii  bzip2                          1.0.6-5
ii  diffstat                       1.58-1
ii  file                           1:5.14-2
ii  gettext                        0.18.3.2-1
ii  hardening-includes             2.5
ii  intltool-debian                0.35.0+20060710.1
ii  libapt-pkg-perl                0.1.29+b1
ii  libarchive-zip-perl            1.30-7
ii  libclass-accessor-perl         0.34-1
ii  libclone-perl                  0.36-1
ii  libdpkg-perl                   1.17.6
ii  libemail-valid-perl            1.192-1
ii  libfile-basedir-perl           0.03-1
ii  libipc-run-perl                0.92-1
ii  liblist-moreutils-perl         0.33-1+b2
ii  libparse-debianchangelog-perl  1.2.0-1
ii  libtext-levenshtein-perl       0.06~01-2
ii  libtimedate-perl               2.3000-1
ii  liburi-perl                    1.60-1
ii  man-db                         2.6.6-1
ii  patchutils                     0.3.2-3
ii  perl [libdigest-sha-perl]      5.18.2-2
ii  t1utils                        1.37-2

Versions of packages lintian recommends:
pn  libperlio-gzip-perl             <none>
ii  perl-modules [libautodie-perl]  5.18.2-2

Versions of packages lintian suggests:
pn  binutils-multiarch     <none>
ii  dpkg-dev               1.17.6
ii  libhtml-parser-perl    3.71-1+b1
ii  libtext-template-perl  1.46-1
ii  libyaml-perl           0.84-1
ii  xz-utils               5.1.1alpha+20120614-2

-- no debconf information

>From f389948be4631df98cbf1a140857a541b76ffe77 Mon Sep 17 00:00:00 2001
From: Tomasz Buchert <tomasz.buchert@inria.fr>
Date: Mon, 10 Feb 2014 23:53:37 +0100
Subject: [PATCH] added reproducibility checker

---
 checks/reproducibility.desc                        |  13 ++++++
 checks/reproducibility.pm                          |  51 +++++++++++++++++++++
 t/tests/reproducibility/debian/debian/control.in   |  17 +++++++
 .../debian/debian/unreproducible-pkg.install       |   1 +
 t/tests/reproducibility/debian/file                |   1 +
 .../reproducibility/debian/file-with-timestamp.gz  | Bin 0 -> 39 bytes
 .../debian/file-without-timestamp.gz               | Bin 0 -> 34 bytes
 t/tests/reproducibility/debian/prepare             |   4 ++
 t/tests/reproducibility/desc                       |   6 +++
 t/tests/reproducibility/tags                       |   1 +
 10 files changed, 94 insertions(+)
 create mode 100644 checks/reproducibility.desc
 create mode 100644 checks/reproducibility.pm
 create mode 100644 t/tests/reproducibility/debian/debian/control.in
 create mode 100644 t/tests/reproducibility/debian/debian/unreproducible-pkg.install
 create mode 100644 t/tests/reproducibility/debian/file
 create mode 100644 t/tests/reproducibility/debian/file-with-timestamp.gz
 create mode 100644 t/tests/reproducibility/debian/file-without-timestamp.gz
 create mode 100755 t/tests/reproducibility/debian/prepare
 create mode 100644 t/tests/reproducibility/desc
 create mode 100644 t/tests/reproducibility/tags

diff --git a/checks/reproducibility.desc b/checks/reproducibility.desc
new file mode 100644
index 0000000..26f390a
--- /dev/null
+++ b/checks/reproducibility.desc
@@ -0,0 +1,13 @@
+Check-Script: reproducibility
+Author: Tomasz Buchert <tomasz.buchert@inria.fr>
+Abbrev: repro
+Type: binary, udeb
+Needs-Info: index
+Info: This script checks packages for unreproducible elements.
+
+Tag: package-contains-timestamped-gzip
+Severity: normal
+Certainty: certain
+Info: The package contains a gzip'ed file that
+ has timestamps. Such files make the produced
+ packages unreproducible.
diff --git a/checks/reproducibility.pm b/checks/reproducibility.pm
new file mode 100644
index 0000000..59c13d9
--- /dev/null
+++ b/checks/reproducibility.pm
@@ -0,0 +1,51 @@
+# reproducibility -- lintian check script -*- perl -*-
+#
+# Copyright (C) 2014 Tomasz Buchert
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, you can find it on the World Wide
+# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+# MA 02110-1301, USA.
+
+package Lintian::reproducibility;
+use strict;
+use warnings;
+use autodie;
+
+use Lintian::Tags qw(tag);
+
+sub run {
+    my ($pkg, undef, $info, $proc, $group) = @_;
+
+    foreach my $file ($info->sorted_index) {
+        next unless ($file->is_file);
+        my $finfo = $info->file_info($file);
+
+        if ($finfo =~ /^gzip compressed data/) {
+            if ($finfo =~ /last modified/) {
+                tag 'package-contains-timestamped-gzip', $file;
+            }
+        }
+    }
+
+    return;
+}
+
+1;
+
+# Local Variables:
+# indent-tabs-mode: nil
+# cperl-indent-level: 4
+# End:
+# vim: syntax=perl sw=4 sts=4 sr et
diff --git a/t/tests/reproducibility/debian/debian/control.in b/t/tests/reproducibility/debian/debian/control.in
new file mode 100644
index 0000000..a7e8050
--- /dev/null
+++ b/t/tests/reproducibility/debian/debian/control.in
@@ -0,0 +1,17 @@
+Source: {$source}
+Priority: extra
+Section: devel
+Maintainer: {$author}
+Standards-Version: {$standards_version}
+Build-Depends: debhelper (>= 9)
+
+Package: unreproducible-pkg
+Architecture: all
+Depends: $\{misc:Depends\}
+Description: {$description} - gzip files
+ This is a test package designed to exercise some feature or tag of
+ Lintian.  It is part of the Lintian test suite and may do very odd
+ things.  It should not be installed like a regular package.  It may
+ be an empty package.
+ .
+ Contains a few GZIP files.
diff --git a/t/tests/reproducibility/debian/debian/unreproducible-pkg.install b/t/tests/reproducibility/debian/debian/unreproducible-pkg.install
new file mode 100644
index 0000000..15b72c1
--- /dev/null
+++ b/t/tests/reproducibility/debian/debian/unreproducible-pkg.install
@@ -0,0 +1 @@
+*.gz usr/share/pkg-with-gzips/
diff --git a/t/tests/reproducibility/debian/file b/t/tests/reproducibility/debian/file
new file mode 100644
index 0000000..96bc543
--- /dev/null
+++ b/t/tests/reproducibility/debian/file
@@ -0,0 +1 @@
+This is a text.
diff --git a/t/tests/reproducibility/debian/file-with-timestamp.gz b/t/tests/reproducibility/debian/file-with-timestamp.gz
new file mode 100644
index 0000000000000000000000000000000000000000..3d4e78818ffafb9ad11f313d0c7a7abbfde1d697
GIT binary patch
literal 39
vcmb2|=HTd#{u#u;oR*oB%D{c{giaX4BA3=lSGt63^%#WmPkj(zU|;|M2G$JF

literal 0
HcmV?d00001

diff --git a/t/tests/reproducibility/debian/file-without-timestamp.gz b/t/tests/reproducibility/debian/file-without-timestamp.gz
new file mode 100644
index 0000000000000000000000000000000000000000..0dbd7dd9a0aa228b8af804b0fc8c304ffa6fcfd1
GIT binary patch
literal 34
lcmb2|=3oE=X6}<Gbix=GxwKBY(j{c8#~_q{>Vp7K3IL1w2=@R0

literal 0
HcmV?d00001

diff --git a/t/tests/reproducibility/debian/prepare b/t/tests/reproducibility/debian/prepare
new file mode 100755
index 0000000..a0feb41
--- /dev/null
+++ b/t/tests/reproducibility/debian/prepare
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+gzip file -c > file-with-timestamp.gz
+gzip file -nc > file-without-timestamp.gz
diff --git a/t/tests/reproducibility/desc b/t/tests/reproducibility/desc
new file mode 100644
index 0000000..f0e18bd
--- /dev/null
+++ b/t/tests/reproducibility/desc
@@ -0,0 +1,6 @@
+Testname: reproducibility
+Sequence: 6000
+Version: 1.0
+Description: Test if package is reproducible
+Test-For:
+ package-contains-timestamped-gzip
diff --git a/t/tests/reproducibility/tags b/t/tests/reproducibility/tags
new file mode 100644
index 0000000..3afb943
--- /dev/null
+++ b/t/tests/reproducibility/tags
@@ -0,0 +1 @@
+W: unreproducible-pkg: package-contains-timestamped-gzip usr/share/pkg-with-gzips/file-with-timestamp.gz
-- 
1.8.5.3

Reply to:

Follow-Ups:
- Bug#738591: lintian: Add checker for timestamped gzip files
  - From: Jakub Wilk <jwilk@debian.org>

Prev by Date: [lintian] branch master updated (52bf926 -> 8bf359c)
Next by Date: Bug#738591: lintian: Add checker for timestamped gzip files
Previous by thread: [lintian] 01/01: d/.../embedded-libs: Change libpostproc to source-regex
Next by thread: Bug#738591: lintian: Add checker for timestamped gzip files
Index(es):
- Date
- Thread