Bug#785662: lintian: Should warn about included oui.txt or iab.txt, and recommend to use those from ieee-data instead

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#785662: lintian: Should warn about included oui.txt or iab.txt, and recommend to use those from ieee-data instead
From: Axel Beckert <abe@debian.org>
Date: Mon, 18 May 2015 22:56:25 +0200
Message-id: <[🔎] 874mn9hafa.fsf@kiva6.ethz.ch>
Reply-to: Axel Beckert <abe@debian.org>, 785662@bugs.debian.org

Package: lintian
Version: 2.5.31
Severity: wishlist

While looking at arpwatch for an potential QA upload, I noticed that it
contains rather ancient data based upon oui.txt from the IEEE Registry.

These files are nowadays (since 2013 respectively Jessie) shipped in the
package ieee-data. Still many packages ship this currently 3.3 MB sized
file themselves or ship their own downloader/updater, probably without
proper copyright declaration for oui.txt as copyright situation was
rather unclear until the ieee-data maintainer contacted IEEE about it.

The following packages are at least affected (checked with "apt-file
search oui" on a Jessie system):

arpalert: /etc/arpalert/oui.txt
arp-scan: /usr/bin/get-oui
arp-scan: /usr/share/arp-scan/ieee-oui.txt
btscanner: /usr/share/btscanner/oui.txt
ipv6toolkit: /usr/share/ipv6toolkit/oui.txt
ntop-data: /usr/share/ntop/oui.txt
ocsinventory-reports: /usr/share/ocsinventory-reports/files/oui.txt
python3-netaddr: /usr/lib/python3/dist-packages/netaddr/eui/oui.idx
python3-netaddr: /usr/lib/python3/dist-packages/netaddr/eui/oui.txt
python-netaddr: /usr/lib/python2.7/dist-packages/netaddr/eui/oui.idx
python-netaddr: /usr/lib/python2.7/dist-packages/netaddr/eui/oui.txt
ruby-packetfu: /usr/share/doc/ruby-packetfu/examples/oui.txt.gz

Luciano (as well as Gürkan years earlier) seem to have filed bug reports
for embedded copies of oui.txt already against arpalert, arp-scan,
btscanner, ipv6toolkit (fixed in experimental, yay!), ntop-data,
ocsinventory-reports, but the python and ruby packages listed above have
no such bug report. And I think we should also have a way to warn future
package maintainers about this issue.

arpwatch ships his mangled OUI data in
/usr/share/arpwatch/ethercodes.dat. Such mangled data probably can't be
found easily by a lintian check.

I imagine a check which warns if

* a binary or source package contains a file whose name  matches
  /\b(oui|iab).(txt|idx|db)\b/ (This should also match compressed
  variants)

* a binary package contains an executable whose file name matches
  /(get|fetch|download|update)-(oui|iab)\b/
* a binary package contains an executable which contains one of the
  typical oui.txt download URLs, e.g.
  http://standards-oui.ieee.org/oui.txt and
  http://standards.ieee.org/develop/regauth/oui/oui.txt

AND

* the package is _not_ named ieee-data. :-)

Not sure if the check should also try to look for typical excerpts of
that file to recognize non-standard file names. Sounds like overkill to
me.

Proposed classification:

Certainty: possible
Severity: Somewhere between minor and normal.

(I'd neither use pedantic nor wishlist since the file is too big and too
often outdated.)

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (500, 'buildd-unstable'), (400, 'stable'), (110, 'experimental'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-trunk-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages lintian depends on:
ii  binutils                       2.25-7
ii  bzip2                          1.0.6-7+b3
ii  diffstat                       1.58-1
ii  file                           1:5.22+15-2
ii  gettext                        0.19.4-1
ii  hardening-includes             2.7
ii  intltool-debian                0.35.0+20060710.2
ii  libapt-pkg-perl                0.1.29+b2
ii  libarchive-zip-perl            1.39-1
ii  libclass-accessor-perl         0.34-1
ii  libclone-perl                  0.37-1+b1
ii  libdigest-sha-perl             5.95-2
ii  libdpkg-perl                   1.17.25
ii  libemail-valid-perl            1.195-1
ii  libfile-basedir-perl           0.03-1
ii  libipc-run-perl                0.94-1
ii  liblist-moreutils-perl         0.410-1
ii  libparse-debianchangelog-perl  1.2.0-1.1
ii  libtext-levenshtein-perl       0.12-1
ii  libtimedate-perl               2.3000-2
ii  liburi-perl                    1.64-1
ii  man-db                         2.7.0.2-5
ii  patchutils                     0.3.4-1
ii  perl [libdigest-sha-perl]      5.20.2-6
ii  t1utils                        1.38-4
ii  xz-utils                       5.1.1alpha+20120614-2+b3

Versions of packages lintian recommends:
ii  dpkg                            1.17.25
ii  libautodie-perl                 2.25-1
ii  libperlio-gzip-perl             0.18-3+b1
ii  perl                            5.20.2-6
ii  perl-modules [libautodie-perl]  5.20.2-6

Versions of packages lintian suggests:
ii  binutils-multiarch     2.25-7
ii  dpkg-dev               1.17.25
ii  libhtml-parser-perl    3.71-1+b3
ii  libtext-template-perl  1.46-1
ii  libyaml-perl           1.13-1

-- no debconf information

Reply to:

Follow-Ups:
- Bug#785662: lintian: Should warn about included oui.txt or iab.txt, and recommend to use those from ieee-data instead
  - From: Axel Beckert <abe@debian.org>
- Bug#785662: lintian: Should warn about included oui.txt or iab.txt, and recommend to use those from ieee-data instead
  - From: Axel Beckert <abe@debian.org>

Prev by Date: lintian_2.5.31~bpo8+1_amd64.changes is NEW
Next by Date: Bug#785662: lintian: Should warn about included oui.txt or iab.txt, and recommend to use those from ieee-data instead
Previous by thread: lintian_2.5.31~bpo8+1_amd64.changes is NEW
Next by thread: Bug#785662: lintian: Should warn about included oui.txt or iab.txt, and recommend to use those from ieee-data instead
Index(es):
- Date
- Thread