Bug#922557: lintian: Make orig-tarball-missing-upstream-signature a "dsc" check
tags 922557 + patch
thanks
Hi,
> lintian: Make orig-tarball-missing-upstream-signature a "dsc" check
WIP patch attached; the unit tests don't pass for some reason to
be investigated...
commit ee116b6206ae2aada6429d8a5ea8843021853f50
Author: Chris Lamb <lamby@debian.org>
Date: Mon Feb 18 14:54:46 2019 +0100
Make orig-tarball-missing-upstream-signature a "dsc" check so it appears when running against non-.changes files. (Closes: #922557)
checks/changes-file.desc | 20 ----------
checks/changes-file.pm | 25 +------------
checks/control-file.desc | 20 ++++++++++
checks/control-file.pm | 25 ++++++++++++-
lib/Lintian/Collect/Source.pm | 85 ++++++++++++++++++++++++++++++++++++++++++-
5 files changed, 129 insertions(+), 46 deletions(-)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
>From ee116b6206ae2aada6429d8a5ea8843021853f50 Mon Sep 17 00:00:00 2001
From: Chris Lamb <lamby@debian.org>
Date: Mon, 18 Feb 2019 14:54:46 +0100
Subject: [PATCH] Make orig-tarball-missing-upstream-signature a "dsc" check so
it appears when running against non-.changes files. (Closes: #922557)
---
checks/changes-file.desc | 20 ---------
checks/changes-file.pm | 25 +----------
checks/control-file.desc | 20 +++++++++
checks/control-file.pm | 25 ++++++++++-
lib/Lintian/Collect/Source.pm | 85 ++++++++++++++++++++++++++++++++++-
5 files changed, 129 insertions(+), 46 deletions(-)
diff --git a/checks/changes-file.desc b/checks/changes-file.desc
index 8576ab230..295a53b2f 100644
--- a/checks/changes-file.desc
+++ b/checks/changes-file.desc
@@ -193,26 +193,6 @@ Info: The distribution in the <tt>Changes</tt> field copied from
to be released yet.
Ref: #542747
-Tag: orig-tarball-missing-upstream-signature
-Severity: normal
-Certainty: certain
-Info: The packaging includes an upstream signing key but the corresponding
- <tt>.asc</tt> signature for one or more source tarballs are not included
- in your .changes file.
- .
- Please ensure a
- <tt><package>_<version>.orig.tar.<ext>.asc</tt> file
- exists in the same directory as your
- <tt><package>_<version>.orig.tar.<ext></tt> tarball prior
- to <tt>dpkg-source --build</tt> being called.
- .
- If you are repackaging your source tarballs for Debian Free Software
- Guidelines compliance reasons, ensure that your package version includes
- <tt>dfsg</tt> or similar.
- .
- Support for signatures was added to <tt>pristine-tar</tt> in version 1.41
- and support in <tt>git-buildpackage</tt> is being tracked in #872864.
-
Tag: changed-by-invalid-for-derivative
Severity: serious
Certainty: certain
diff --git a/checks/changes-file.pm b/checks/changes-file.pm
index 2ac28b5a6..8a47793b6 100644
--- a/checks/changes-file.pm
+++ b/checks/changes-file.pm
@@ -23,7 +23,7 @@ use strict;
use warnings;
use autodie;
-use List::MoreUtils qw(none any);
+use List::MoreUtils qw(any);
use Lintian::Tags qw(tag);
use Lintian::Check qw(check_maintainer);
@@ -31,7 +31,6 @@ use Lintian::Data;
use Lintian::Util qw(get_file_checksum);
my $KNOWN_DISTS = Lintian::Data->new('changes-file/known-dists');
-my $SIGNING_KEY_FILENAMES = Lintian::Data->new('common/signing-key-filenames');
sub run {
my (undef, undef, $info, undef, $group) = @_;
@@ -184,18 +183,6 @@ sub run {
check_maintainer($info->field('changed-by'), 'changed-by');
}
- my $has_signing_key = 0;
- my $src = $group->get_source_processable;
- if ($src) {
- for my $key_name ($SIGNING_KEY_FILENAMES->all) {
- my $path = $src->info->index_resolved_path("debian/$key_name");
- if ($path and $path->is_file) {
- $has_signing_key = 1;
- last;
- }
- }
- }
-
my $files = $info->files;
my $path = readlink($info->lab_data_path('changes'));
my %num_checksums;
@@ -203,16 +190,6 @@ sub run {
foreach my $file (keys %$files) {
my $file_info = $files->{$file};
- # Ensure all orig tarballs have a signature if we have an upstream
- # signature.
- if ( $has_signing_key
- && $file =~ m/(^.*\.orig(?:-[A-Za-z\d-]+)?\.tar)\./
- && $file !~ m/\.asc$/
- && !$info->repacked) {
- tag 'orig-tarball-missing-upstream-signature', $file
- if none { exists $files->{"$_.asc"} } ($file, $1);
- }
-
# check section
if ( ($file_info->{section} eq 'non-free')
or ($file_info->{section} eq 'contrib')) {
diff --git a/checks/control-file.desc b/checks/control-file.desc
index a50349d88..7a28bd921 100644
--- a/checks/control-file.desc
+++ b/checks/control-file.desc
@@ -418,3 +418,23 @@ Info: For licensing reasons packages from the non-free section are not
license) add <tt>XS-Autobuild: yes</tt> into the header part of
debian/control and get the package added to the "autobuild" whitelist.
Ref: devref 5.10.5
+
+Tag: orig-tarball-missing-upstream-signature
+Severity: normal
+Certainty: certain
+Info: The packaging includes an upstream signing key but the corresponding
+ <tt>.asc</tt> signature for one or more source tarballs are not included
+ in your .changes file.
+ .
+ Please ensure a
+ <tt><package>_<version>.orig.tar.<ext>.asc</tt> file
+ exists in the same directory as your
+ <tt><package>_<version>.orig.tar.<ext></tt> tarball prior
+ to <tt>dpkg-source --build</tt> being called.
+ .
+ If you are repackaging your source tarballs for Debian Free Software
+ Guidelines compliance reasons, ensure that your package version includes
+ <tt>dfsg</tt> or similar.
+ .
+ Support for signatures was added to <tt>pristine-tar</tt> in version 1.41
+ and support in <tt>git-buildpackage</tt> is being tracked in #872864.
diff --git a/checks/control-file.pm b/checks/control-file.pm
index 6cf25ff79..48e1dfe5a 100644
--- a/checks/control-file.pm
+++ b/checks/control-file.pm
@@ -24,7 +24,7 @@ use warnings;
use autodie;
use List::MoreUtils qw(any);
-use List::Util qw(first);
+use List::Util qw(first none);
use Lintian::Data ();
use Lintian::Relation ();
@@ -46,6 +46,8 @@ my $KNOWN_DBG_PACKAGE = Lintian::Data->new(
return qr/$_[0]/xms;
});
+my $SIGNING_KEY_FILENAMES = Lintian::Data->new('common/signing-key-filenames');
+
sub run {
my ($pkg, undef, $info, undef, $group) = @_;
my $debian_dir = $info->index_resolved_path('debian/');
@@ -459,6 +461,27 @@ sub run {
and $info->is_non_free
and $info->source_field('xs-autobuild', 'no') eq 'no';
+ # Ensure all orig tarballs have a signature if we have an upstream
+ # signature.
+ my $files = $info->files;
+ my $has_signing_key = 0;
+ for my $key_name ($SIGNING_KEY_FILENAMES->all) {
+ my $path = $info->index_resolved_path("debian/$key_name");
+ if ($path and $path->is_file) {
+ $has_signing_key = 1;
+ last;
+ }
+ }
+ foreach my $file (keys %$files) {
+ if ( $has_signing_key
+ && $file =~ m/(^.*\.orig(?:-[A-Za-z\d-]+)?\.tar)\./
+ && $file !~ m/\.asc$/
+ && !$info->repacked) {
+ tag 'orig-tarball-missing-upstream-signature', $file
+ if none { exists $files->{"$_.asc"} } ($file, $1);
+ }
+ }
+
return;
}
diff --git a/lib/Lintian/Collect/Source.pm b/lib/Lintian/Collect/Source.pm
index e0a1c6fe4..6bf2736f9 100644
--- a/lib/Lintian/Collect/Source.pm
+++ b/lib/Lintian/Collect/Source.pm
@@ -30,7 +30,7 @@ use Lintian::Relation;
use Parse::DebianChangelog;
use Lintian::Util
- qw(get_file_checksum read_dpkg_control open_gz $PKGNAME_REGEX $PKGREPACK_REGEX);
+ qw(get_file_checksum read_dpkg_control open_gz $PKGNAME_REGEX $PKGREPACK_REGEX strip);
=head1 NAME
@@ -187,6 +187,89 @@ sub native {
return $self->{native};
}
+=item files
+
+Returns a reference to a hash containing information about files listed
+in the .changes file. Each hash may have the following keys:
+
+=over 4
+
+=item name
+
+Name of the file.
+
+=item size
+
+The size of the file in bytes.
+
+=item checksums
+
+A hash with the keys being checksum algorithms and the values themselves being
+hashes containing
+
+=over 4
+
+=item sum
+
+The result of applying the given algorithm to the file.
+
+=item filesize
+
+The size of the file as given in the .changes section relating to the given
+checksum.
+
+=back
+
+=back
+
+Needs-Info requirements for using I<files>: L<Lintian::Collect/field ([FIELD[, DEFAULT]])>
+
+=cut
+
+sub files {
+ my ($self) = @_;
+
+ return $self->{files} if exists $self->{files};
+
+ my %files;
+
+ my $file_list = $self->field('files') || '';
+ local $_;
+ for (split /\n/, $file_list) {
+ strip;
+ next if $_ eq '';
+
+ my ($md5sum,$size,$file) = split(/\s+/o, $_);
+ next if $file =~ m,/,;
+
+ $files{$file}{checksums}{md5} = {
+ 'sum' => $md5sum,
+ 'filesize' => $size,
+ };
+ $files{$file}{name} = $file;
+ $files{$file}{size} = $size;
+ }
+
+ foreach my $alg (qw(sha1 sha256)) {
+ my $list = $self->field("checksums-$alg") || '';
+ for (split /\n/, $list) {
+ strip;
+ next if $_ eq '';
+
+ my ($checksum, $size, $file) = split(/\s+/o, $_);
+ next if $file =~ m,/,;
+
+ $files{$file}{checksums}{$alg} = {
+ 'sum' => $checksum,
+ 'filesize' => $size
+ };
+ }
+ }
+
+ $self->{files} = \%files;
+ return $self->{files};
+}
+
=item repacked
Returns true if the source package has been "repacked" and false otherwise.
--
2.20.1
Reply to: