Bug#785662: lintian: Should warn about included oui.txt or iab.txt, and recommend to use those from ieee-data instead
Package: lintian
Version: 2.5.31
Severity: wishlist
While looking at arpwatch for an potential QA upload, I noticed that it
contains rather ancient data based upon oui.txt from the IEEE Registry.
These files are nowadays (since 2013 respectively Jessie) shipped in the
package ieee-data. Still many packages ship this currently 3.3 MB sized
file themselves or ship their own downloader/updater, probably without
proper copyright declaration for oui.txt as copyright situation was
rather unclear until the ieee-data maintainer contacted IEEE about it.
The following packages are at least affected (checked with "apt-file
search oui" on a Jessie system):
arpalert: /etc/arpalert/oui.txt
arp-scan: /usr/bin/get-oui
arp-scan: /usr/share/arp-scan/ieee-oui.txt
btscanner: /usr/share/btscanner/oui.txt
ipv6toolkit: /usr/share/ipv6toolkit/oui.txt
ntop-data: /usr/share/ntop/oui.txt
ocsinventory-reports: /usr/share/ocsinventory-reports/files/oui.txt
python3-netaddr: /usr/lib/python3/dist-packages/netaddr/eui/oui.idx
python3-netaddr: /usr/lib/python3/dist-packages/netaddr/eui/oui.txt
python-netaddr: /usr/lib/python2.7/dist-packages/netaddr/eui/oui.idx
python-netaddr: /usr/lib/python2.7/dist-packages/netaddr/eui/oui.txt
ruby-packetfu: /usr/share/doc/ruby-packetfu/examples/oui.txt.gz
Luciano (as well as Gürkan years earlier) seem to have filed bug reports
for embedded copies of oui.txt already against arpalert, arp-scan,
btscanner, ipv6toolkit (fixed in experimental, yay!), ntop-data,
ocsinventory-reports, but the python and ruby packages listed above have
no such bug report. And I think we should also have a way to warn future
package maintainers about this issue.
arpwatch ships his mangled OUI data in
/usr/share/arpwatch/ethercodes.dat. Such mangled data probably can't be
found easily by a lintian check.
I imagine a check which warns if
* a binary or source package contains a file whose name matches
/\b(oui|iab).(txt|idx|db)\b/ (This should also match compressed
variants)
* a binary package contains an executable whose file name matches
/(get|fetch|download|update)-(oui|iab)\b/
* a binary package contains an executable which contains one of the
typical oui.txt download URLs, e.g.
http://standards-oui.ieee.org/oui.txt and
http://standards.ieee.org/develop/regauth/oui/oui.txt
AND
* the package is _not_ named ieee-data. :-)
Not sure if the check should also try to look for typical excerpts of
that file to recognize non-standard file names. Sounds like overkill to
me.
Proposed classification:
Certainty: possible
Severity: Somewhere between minor and normal.
(I'd neither use pedantic nor wishlist since the file is too big and too
often outdated.)
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'testing'), (500, 'buildd-unstable'), (400, 'stable'), (110, 'experimental'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.0-trunk-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages lintian depends on:
ii binutils 2.25-7
ii bzip2 1.0.6-7+b3
ii diffstat 1.58-1
ii file 1:5.22+15-2
ii gettext 0.19.4-1
ii hardening-includes 2.7
ii intltool-debian 0.35.0+20060710.2
ii libapt-pkg-perl 0.1.29+b2
ii libarchive-zip-perl 1.39-1
ii libclass-accessor-perl 0.34-1
ii libclone-perl 0.37-1+b1
ii libdigest-sha-perl 5.95-2
ii libdpkg-perl 1.17.25
ii libemail-valid-perl 1.195-1
ii libfile-basedir-perl 0.03-1
ii libipc-run-perl 0.94-1
ii liblist-moreutils-perl 0.410-1
ii libparse-debianchangelog-perl 1.2.0-1.1
ii libtext-levenshtein-perl 0.12-1
ii libtimedate-perl 2.3000-2
ii liburi-perl 1.64-1
ii man-db 2.7.0.2-5
ii patchutils 0.3.4-1
ii perl [libdigest-sha-perl] 5.20.2-6
ii t1utils 1.38-4
ii xz-utils 5.1.1alpha+20120614-2+b3
Versions of packages lintian recommends:
ii dpkg 1.17.25
ii libautodie-perl 2.25-1
ii libperlio-gzip-perl 0.18-3+b1
ii perl 5.20.2-6
ii perl-modules [libautodie-perl] 5.20.2-6
Versions of packages lintian suggests:
ii binutils-multiarch 2.25-7
ii dpkg-dev 1.17.25
ii libhtml-parser-perl 3.71-1+b3
ii libtext-template-perl 1.46-1
ii libyaml-perl 1.13-1
-- no debconf information
Reply to: