Hi, We have added a couple of new tags for lintian (see attached diff file). We kindly ask you to review them before they are released. :) ~Niels
diff --git a/checks/changelog-file.desc b/checks/changelog-file.desc index 7da3476..9330822 100644 --- a/checks/changelog-file.desc +++ b/checks/changelog-file.desc @@ -223,11 +223,15 @@ Tag: experimental-to-unstable-without-comment Severity: pedantic Certainty: possible Info: The previous version of this package had a distribution of - experimental, this version has a distribution of unstable, and there's - apparently no comment about the change of distributions (Lintian looks - for the phrase "to unstable"). This may indicate a mistake in setting - the distribution and accidentally uploading to unstable a package - intended for experimental. + "experimental", this version has a distribution of "unstable", and there's + apparently no comment about the change of distributions. + . + Lintian looks in this version's changelog entry for the phrase "to + unstable" or "to sid", with or without quotation marks around the + distribution name. + . + This may indicate a mistake in setting the distribution and accidentally + uploading to unstable a package intended for experimental. Tag: syntax-error-in-debian-changelog Severity: normal diff --git a/checks/control-file.desc b/checks/control-file.desc index a71182b..522d5f9 100644 --- a/checks/control-file.desc +++ b/checks/control-file.desc @@ -89,6 +89,17 @@ Info: There is an XS-Vcs-* field in the <tt>debian/control</tt> file. As recognizes these headers and handles them correctly. Consider removing the XS- prefix for this field. +Tag: xs-testsuite-header-in-debian-control +Severity: wishlist +Certainty: certain +Info: There is an XS-Testsuite field in the <tt>debian/control</tt> file. As + of dpkg 1.17.10, the XS- prefix is no longer necessary. dpkg now + recognizes this header and handles it correctly. As of dpkg 1.17.11 the + field is automatically added by dpkg-source with the "autopkgtest" value if + there is a non-empty <tt>debian/tests/control</tt> file present. Consider + either removing the XS- prefix for this field or removing the field + altogether if it contains just the "autopkgtest" value. + Tag: xc-package-type-in-debian-control Severity: pedantic Certainty: certain @@ -233,3 +244,11 @@ Certainty: possible Info: The restriction formula in Build-Profiles field includes an unknown build profile. The only allowed build profiles are "stage1", "stage2", "nocheck", "nodoc", "nobiarch" and "cross". + +Tag: multiline-architecture-field +Severity: important +Certainty: certain +Ref: policy 5.6.8 +Info: The values of the Architecture field in debian/control must not + be separated by anything else than spaces, i.e. must be single line + and is not allowed to span multiple lines. diff --git a/checks/cruft.desc b/checks/cruft.desc index f4fbae5..40ec733 100644 --- a/checks/cruft.desc +++ b/checks/cruft.desc @@ -773,3 +773,10 @@ Info: The following file is autogenerated by Microsoft Visual C++. Check if upstream also provides source-only tarballs that you can use as the upstream distribution instead. If not, you may want to ask upstream to provide source-only tarballs. + +# Imported from lintian4python (python/helpers) +Tag: debian-pycompat-is-obsolete +Severity: wishlist +Certainty: certain +Info: debian/pycompat is not used by any modern Python helper. It should be + safe to remove this file. diff --git a/checks/dbus.desc b/checks/dbus.desc index 42b9665..2066f3d 100644 --- a/checks/dbus.desc +++ b/checks/dbus.desc @@ -29,14 +29,13 @@ Info: The package contains D-Bus policy configuration that uses the including distinguishing between users who are "at the console" and those who are not. Ref: https://bugs.freedesktop.org/show_bug.cgi?id=39611 -Experimental: yes Tag: dbus-policy-without-send-destination Severity: normal -Certainty: possible +Certainty: certain Info: The package contains D-Bus policy configuration that uses - one of the <tt>send_*</tt> conditions but does not specify a - <tt>send_destination</tt>. + one of the <tt>send_*</tt> conditions, but does not specify a + <tt>send_destination</tt>, and is not specific to root. . Rules of the form . @@ -52,8 +51,50 @@ Info: The package contains D-Bus policy configuration that uses . are redundant with the system bus' default-deny policy, and have unintended effects on other services. + . + This check ignores rules of the form + . + <policy user="root"> + <allow ... /> + </policy> + . + which are commonly used for the "agent" pattern seen in services like + BlueZ and NetworkManager: a root-privileged daemon calls out to + one or more per-user user interface agent processes with no specific + name, so <tt>send_destination</tt> is not easily applicable. + However, such rules should still be made as specific as possible to + avoid undesired side-effects. Ref: https://bugs.freedesktop.org/show_bug.cgi?id=18961,http://lists.freedesktop.org/archives/dbus/2008-February/009401.html -Experimental: yes + +Tag: dbus-policy-excessively-broad +Severity: serious +Certainty: possible +Info: The package contains D-Bus policy configuration that + matches broad classes of messages. This will cause strange side-effects, + is almost certainly unintended, and is a probable security flaw. + . + For instance, + . + <policy user="daemon"> + <allow send_type="method_call"/> + <allow send_destination="com.example.Bees"/> + </policy> + . + in any system bus policy file would allow the <tt>daemon</tt> user to send + any method call to any service, including method calls which are meant to + be restricted to root-only for security, such as + <tt>org.freedesktop.systemd1.Manager.StartTransientUnit</tt>. (In addition, + it allows that user to send any message to the <tt>com.example.Bees</tt> + service.) + . + The intended policy for that particular example was probably more like + . + <policy user="daemon"> + <allow send_type="method_call" send_destination="com.example.Bees"/> + </policy> + . + which correctly allows method calls to that particular service only. +Ref: http://www.openwall.com/lists/oss-security/2015/01/27/25 Tag: dbus-session-service-wrong-name Severity: wishlist diff --git a/checks/deb-format.desc b/checks/deb-format.desc index 0b30f73..418305e 100644 --- a/checks/deb-format.desc +++ b/checks/deb-format.desc @@ -68,3 +68,27 @@ Info: The data portion of this binary package uses a deprecated compression For lzma, xz is the direct replacement. For bzip2 either gzip or xz can be used as a substitute, depending on the wanted properties: gzip for maximum compatibility and speed, and xz for maximum compression ratio. + +Tag: uses-no-compression-for-control-tarball +Severity: important +Certainty: certain +Ref: deb(5) +Info: The control portion of this binary package uses a non compressed + format. Although dpkg will support extracting such binary packages + since dpkg 1.10.24, creating them is not advised except in special + cases. + . + Except if data is non compressible use gzip for + maximum compatibility and speed, and xz for maximum compression ratio. + +Tag: uses-no-compression-for-data-tarball +Severity: important +Certainty: certain +Ref: deb(5) +Info: The data portion of this binary package uses a non compressed + format. Although dpkg will support extracting such binary packages + since dpkg 1.10.24, creating them is not advised except in special + cases. + . + Except if data is non compressible use gzip for + maximum compatibility and speed, and xz for maximum compression ratio. diff --git a/checks/fields.desc b/checks/fields.desc index 3643704..0182a10 100644 --- a/checks/fields.desc +++ b/checks/fields.desc @@ -1238,3 +1239,10 @@ Info: Package should not suggest or recommend libservlet-java . If there is otherwise a valid reason for this suggestion or recommendation, please override the tag. + +# Imported from lintian4python (python/helpers) +Tag: python-version-current-is-deprecated +Severity: normal +Certainty: certain +Info: The use of "current" in the Python-Version field is deprecated. +Ref: python-policy 3.4 diff --git a/checks/files.desc b/checks/files.desc index c6b8949..b0a5e6b 100644 --- a/checks/files.desc +++ b/checks/files.desc @@ -1457,15 +1457,13 @@ Info: The package appears to ship locales for a language but uses an It is possible that the language code was mistyped or incorrectly guessed from the language's or country's name. -Tag: compressed-objects.inv +Tag: file-should-not-be-compressed Severity: normal Certainty: possible -Info: The package appears to ship a gzip compressed objects.inv file - in it's documentation. Unfortunately some tools do not cope with - this file being compressed. +Info: The following file should not be compressed. . This file should be excluded from compression during build time. - If using debhelper (<< 8.1.0), you may need to use the -X + If using debhelper (<< 9.20140227), you may need to use the -X option to dh_compress. Newer versions of debhelper handle this correctly by default. diff --git a/checks/init.d.desc b/checks/init.d.desc index 0baffde..1e19bb8 100644 --- a/checks/init.d.desc +++ b/checks/init.d.desc @@ -87,9 +87,9 @@ Tag: script-in-etc-init.d-not-registered-via-update-rc.d Severity: normal Certainty: possible Info: The package installs an <tt>/etc/init.d</tt> script which is - not registered in the <tt>postinst</tt> script. This is usually a bug, - unless you omit the links intentionally for some reason or create the - links some other way. + not registered in the <tt>postinst</tt> script. This is usually a bug + (such as omitting the <tt>#DEBHELPER#</tt> token) unless you omit the links + intentionally for some reason or create the links some other way. Tag: upstart-job-in-etc-init.d-not-registered-via-update-rc.d Severity: normal diff --git a/checks/scripts.desc b/checks/scripts.desc index 6d4b33b..9591a1b 100644 --- a/checks/scripts.desc +++ b/checks/scripts.desc @@ -658,6 +658,8 @@ Info: The indicated program run in a maintainer script has a prepended . If the path is required to test a program for existence, one of the suggested workarounds in the developer's reference can be used. + . + See particularly function pathfind() of devref. Ref: policy 6.1, devref 6.4 Tag: maintainer-script-should-not-use-ancient-dpkg-epoch-check diff --git a/checks/shared-libs.desc b/checks/shared-libs.desc index e647610..f3d9c89 100644 --- a/checks/shared-libs.desc +++ b/checks/shared-libs.desc @@ -392,8 +392,8 @@ Severity: important Certainty: certain Info: The symbols control file contains an unknown meta-information field. . - A list of currently supported fields may be found in deb-control(5). -Ref: deb-control(5) + A list of currently supported fields may be found in deb-symbols(5). +Ref: deb-symbols(5) Tag: symbols-declared-but-not-shlib Severity: important diff --git a/checks/source-copyright.desc b/checks/source-copyright.desc index d010f6d..98955f8 100644 --- a/checks/source-copyright.desc +++ b/checks/source-copyright.desc @@ -240,6 +240,25 @@ Info: In contrast to package dependencies, the pipe symbol or vertical between two license short names. Instead, the keyword "or" between two license names indicates the dual licensing. +Tag: dep5-file-paragraph-reference-header-paragraph +Severity: normal +Certainty: possible +Ref: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Info: The Files paragraph uses a reference to a license, which is + only defined in the Header paragraph. The copyright specification + requires that the Files paragraph either contains the full license + itself or references a "stand-alone" License paragraph, and not the + Header paragraph + +Tag: dep5-copyright-license-name-not-unique +Severity: normal +Certainty: possible +Ref: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Info: This paragraph define an already defined license. + . + According to specification the short license name are guaranteed + to be unique within a single copyright file. + Tag: invalid-escape-sequence-in-dep5-copyright Severity: normal Certainty: possible diff --git a/checks/symlinks.desc b/checks/symlinks.desc index c9b1850..0f621af 100644 --- a/checks/symlinks.desc +++ b/checks/symlinks.desc @@ -11,7 +11,7 @@ Certainty: wild-guess Experimental: yes Info: The package contains a symlink but the destination for the link does not exist in the package nor in its - direct dependencies. + direct dependencies built from the same source package. Tag: package-contains-broken-symlink-wildcard Severity: normal @@ -19,7 +19,7 @@ Certainty: possible Info: The package contains a symlink with a target that appears to be a "failed" wildcard expansion. Furthermore the target does not exists in the package or any of its - direct dependencies (built from the same source). + direct dependencies (built from the same source package). Tag: package-contains-unsafe-symlink Severity: serious diff --git a/checks/testsuite.desc b/checks/testsuite.desc index 65386d9..b00ba3d 100644 --- a/checks/testsuite.desc +++ b/checks/testsuite.desc @@ -40,7 +40,7 @@ Info: The package provides a debian/tests/control file but no . For discoverability, packages shipping tests for the autopkgtest testing framework should declare their presence in the package - dsc file by adding "XS-Testsuite: autopkgtest" to their debian/control. + dsc file by adding "Testsuite: autopkgtest" to their debian/control. Ref: http://anonscm.debian.org/gitweb/?p=autopkgtest/autopkgtest.git;a=blob_plain;f=doc/README.package-tests.rst;hb=HEAD Tag: missing-runtime-tests-field @@ -110,5 +110,5 @@ Severity: normal Certainty: certain Info: The dsc file sets Testsuite to a value other than autopkgtest, the only one allowed. This field is most probably copied by - dpkg-source from XS-Testsuite in debian/control. + dpkg-source from Testsuite in debian/control. Ref: http://anonscm.debian.org/gitweb/?p=autopkgtest/autopkgtest.git;a=blob_plain;f=doc/README.package-tests.rst;hb=HEAD diff --git a/checks/watch-file.desc b/checks/watch-file.desc index 89b2ff2..ed6e6d5 100644 --- a/checks/watch-file.desc +++ b/checks/watch-file.desc @@ -174,3 +174,24 @@ Certainty: certain Info: The watch file contains a standard template included by dh_make. Please remove them once you have implemented the watch file. +# Imported from lintian4python (python/watch) +Tag: debian-watch-file-accesses-pypi-over-http +Severity: wishlist +Certainty: certain +Info: The watch file is pointing at PyPI, using a http URL, not https. + PyPI now has https enabled, you should be able to simply switch to + https. + +Tag: debian-watch-file-unsupported-pypi-url +Severity: important +Certainty: certain +Ref: #776267, https://wiki.python.org/moin/PyPISimple +Info: The watch file specifies a PyPI URL which is not a supported API. + Instead, use either the pypi.debian.net redirector service or PyPI's + Simple API: + . + http://pypi.debian.net/<distribution-name>/<distribution-name>-(.*).tar.gz + https://pypi.python.org/simple/<distribution-name>/ … + . + replacing <tt><distribution-name></tt> with the canonical name + of the Python project.
Attachment:
signature.asc
Description: OpenPGP digital signature