Bug#776267: lintian: Add check for unsupported PyPI URL in debian/watch

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#776267: lintian: Add check for unsupported PyPI URL in debian/watch
From: James McCoy <jamessan@debian.org>
Date: Sun, 25 Jan 2015 22:19:59 -0500
Message-id: <[🔎] 20150126031959.11784.42940.reportbug@freya.jamessan.com>
Reply-to: James McCoy <jamessan@debian.org>, 776267@bugs.debian.org

Package: lintian
Version: 2.5.30+deb8u3
Severity: wishlist
Tags: patch

Through a discussion on IRC, it came up that many of the Python Team
maintained packages use http(s)://pypi.python.org/packages/source/...
URLs, which aren't currently working.  Turns out that's not a URL that
should be relied upon and http(s)://pypi.python.org/simple/... should be
used instead.

The attached patch adds a new check for this, referring to the upstream
documentation for this "simple HTML" API[0].

[0]: https://wiki.python.org/moin/PyPISimple

Cheers,
James

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lintian depends on:
ii  binutils                       2.25-4
ii  bzip2                          1.0.6-7+b2
ii  diffstat                       1.58-1
ii  file                           1:5.22+15-1
ii  gettext                        0.19.3-2
ii  hardening-includes             2.7
ii  intltool-debian                0.35.0+20060710.1
ii  libapt-pkg-perl                0.1.29+b2
ii  libarchive-zip-perl            1.39-1
ii  libclass-accessor-perl         0.34-1
ii  libclone-perl                  0.37-1+b1
ii  libdpkg-perl                   1.17.23
ii  libemail-valid-perl            1.195-1
ii  libfile-basedir-perl           0.03-1
ii  libipc-run-perl                0.92-1
ii  liblist-moreutils-perl         0.33-2+b1
ii  libparse-debianchangelog-perl  1.2.0-1.1
ii  libtext-levenshtein-perl       0.11-1
ii  libtimedate-perl               2.3000-2
ii  liburi-perl                    1.64-1
ii  man-db                         2.7.0.2-5
ii  patchutils                     0.3.3-1
ii  perl [libdigest-sha-perl]      5.20.1-4
ii  t1utils                        1.38-3+b1

Versions of packages lintian recommends:
ii  libautodie-perl                 2.25-1
ii  libperlio-gzip-perl             0.18-3+b1
ii  perl                            5.20.1-4
ii  perl-modules [libautodie-perl]  5.20.1-4

Versions of packages lintian suggests:
pn  binutils-multiarch     <none>
ii  dpkg-dev               1.17.23
ii  libhtml-parser-perl    3.71-1+b3
ii  libtext-template-perl  1.46-1
ii  libyaml-perl           1.13-1
ii  xz-utils               5.1.1alpha+20120614-2+b3

-- no debconf information

>From ca5a5ebed9650db558e60141bee02c41be1c5110 Mon Sep 17 00:00:00 2001
From: James McCoy <jamessan@debian.org>
Date: Sun, 25 Jan 2015 21:47:22 -0500
Subject: [PATCH] checks/watch-file: Add check for unsupported PyPI URL

Signed-off-by: James McCoy <jamessan@debian.org>
---
 checks/watch-file.desc                         | 12 ++++++++++++
 checks/watch-file.pm                           |  4 ++++
 t/tests/watch-file-general/debian/debian/watch |  4 +++-
 t/tests/watch-file-general/desc                |  1 +
 t/tests/watch-file-general/tags                |  2 ++
 5 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/checks/watch-file.desc b/checks/watch-file.desc
index 89b2ff2..fb8e98b 100644
--- a/checks/watch-file.desc
+++ b/checks/watch-file.desc
@@ -174,3 +174,15 @@ Certainty: certain
 Info: The watch file contains a standard template included by dh_make.
  Please remove them once you have implemented the watch file.
 
+Tag: debian-watch-file-unsupported-pypi-url
+Severity: important
+Certainty: certain
+Ref: https://wiki.python.org/moin/PyPISimple
+Info: The watch file specifies a PyPI URL which is not a supported API.
+ Instead, use PyPI's Simple API:
+ .
+   https://pypi.python.org/simple/&lt;distribution-name&gt;/
+ .
+ replacing <tt>&lt;distribution-name&gt;</tt> with the canonical name of the
+ Python project.
+
diff --git a/checks/watch-file.pm b/checks/watch-file.pm
index cd0f8de..35522b8 100644
--- a/checks/watch-file.pm
+++ b/checks/watch-file.pm
@@ -132,6 +132,10 @@ sub run {
                 tag 'debian-watch-file-should-use-sf-redirector', "line $.";
             }
 
+            if (m%https?://pypi\.python\.org/packages/source/%) {
+                tag 'debian-watch-file-unsupported-pypi-url', "line $.";
+            }
+
             # This bit is as-is from uscan.pl:
             my ($base, $filepattern, $lastversion, $action) = split ' ', $_, 4;
             # Per #765995, $base might be undefined.
diff --git a/t/tests/watch-file-general/debian/debian/watch b/t/tests/watch-file-general/debian/debian/watch
index 260fa39..aa45280 100644
--- a/t/tests/watch-file-general/debian/debian/watch
+++ b/t/tests/watch-file-general/debian/debian/watch
@@ -20,5 +20,7 @@ version=42
 # Specifies the same version number as the package.
 http://example.com/ foo([\d.]+)\.tar\.gz 2.0.ds1-1 uupdate
 
+# Unsupported PyPi URL
+https://pypi.python.org/packages/source/p/pip/ pip-(.*)\.tar\.gz
 
-# without any pgpsigurlmangle
\ No newline at end of file
+# without any pgpsigurlmangle
diff --git a/t/tests/watch-file-general/desc b/t/tests/watch-file-general/desc
index bcb8112..f86823e 100644
--- a/t/tests/watch-file-general/desc
+++ b/t/tests/watch-file-general/desc
@@ -13,5 +13,6 @@ Test-For:
  debian-watch-file-should-use-sf-redirector
  debian-watch-file-specifies-wrong-upstream-version
  debian-watch-file-unknown-version
+ debian-watch-file-unsupported-pypi-url
  debian-watch-file-uses-deprecated-sf-redirector-method
 References: Debian Bug#510398
diff --git a/t/tests/watch-file-general/tags b/t/tests/watch-file-general/tags
index de38a58..f37f4f5 100644
--- a/t/tests/watch-file-general/tags
+++ b/t/tests/watch-file-general/tags
@@ -1,3 +1,4 @@
+E: watch-file-general source: debian-watch-file-unsupported-pypi-url line 24
 I: watch-file-general source: debian-watch-file-should-dversionmangle-not-uversionmangle line 5
 P: watch-file-general source: debian-watch-may-check-gpg-signature
 W: watch-file-general source: debian-watch-file-declares-multiple-versions line 18
@@ -5,6 +6,7 @@ W: watch-file-general source: debian-watch-file-declares-multiple-versions line
 W: watch-file-general source: debian-watch-file-should-mangle-version line 12
 W: watch-file-general source: debian-watch-file-should-mangle-version line 14
 W: watch-file-general source: debian-watch-file-should-mangle-version line 15
+W: watch-file-general source: debian-watch-file-should-mangle-version line 24
 W: watch-file-general source: debian-watch-file-should-use-sf-redirector line 12
 W: watch-file-general source: debian-watch-file-should-use-sf-redirector line 14
 W: watch-file-general source: debian-watch-file-should-use-sf-redirector line 15
-- 
2.1.4

Reply to:

Prev by Date: [lintian] branch master updated (b970aca -> c763422)
Next by Date: Bug#776480: lintian: [dbus] add the check that found CVE-2014-8148 and CVE-2014-8156
Previous by thread: [lintian] branch master updated (b970aca -> c763422)
Next by thread: Bug#776480: lintian: [dbus] add the check that found CVE-2014-8148 and CVE-2014-8156
Index(es):
- Date
- Thread