[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#471537: marked as done (lintian: Please check for repackaged .orig.tar.gz)



Your message dated Thu, 19 Dec 2019 16:04:43 +0000
with message-id <E1ihyI7-000CO3-Qx@fasolo.debian.org>
and subject line Bug#471537: fixed in lintian 2.42.0
has caused the Debian Bug report #471537,
regarding lintian: Please check for repackaged .orig.tar.gz
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
471537: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471537
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
package: lintian
severity: wishlist

It would be nice if lintian could warn against repackaged .orig.tar.gz,
and sources repackaged in non-recommended ways.

Attached is some patch that at least seems to be able to detect dh_make's
--creatorig usage properly. As both my English language skills and my perl
skills could be better, I'm not setting the patch tag.

Hochachtungsvoll,
	Bernhard R. Link
Index: checks/upstreamtar.desc
===================================================================
--- checks/upstreamtar.desc	(Revision 0)
+++ checks/upstreamtar.desc	(Revision 0)
@@ -0,0 +1,52 @@
+Check-Script: upstreamtar
+Author: Bernhard R. Link <brlink@debian.org>
+Type: source
+Unpack-Level: 2
+Info: This checks for a unadvertised upstream tar.
+Needs-Info: tarfilelist, debfiles, copyright-file
+Abbrev: tar
+
+Tag: repackaged-source-not-advertised
+Type: warning
+Info: The .orig.tar.gz file looks repackaged, but there was found not hint
+ about this in debian/copyright.
+ .
+ Repackaged upstream sources are sometimes created on accident when using
+ an old version of dh_make or using dh_make's --createorig without need.
+ .
+ If you repackaged the upstream source on purpose, please inform the
+ users in debian/copyright how and why. (This test looks for the phrase
+ "repackaged" there).
+ .
+ Legitimate reasons for repackaging are: Upstream not releasing a .tar
+ file; upstream's tarball contains non-DFSG-free material or upstream's
+ tarball is huge compared to the used parts.
+ .
+ You do not need to repackage only because upstream's tarball has the
+ no top-level directory (dpkg-source can handle that) or only bacause
+ upstream's tarball uses a different compression algorithm (you can
+ just uncompress and gzip without touching the tarball).
+ .
+ For futher reference see "Best practices for orig.tar.gz files" in the
+ developers' reference.
+ .
+ Note that an .orig.tar.gz already in the archive cannot be changed,
+ so the best way to deal with this when this is not the first upload
+ of this upstream version is to note in debian/copyright that it
+ was repackaged by mistake and that the contents are the same (or how
+ they differ).
+
+Tag: repackaged-source-without-get-orig-source
+Type: info
+Info: The .orig.tar.gz file looks repackaged, but there is no
+ get-orig-source target in debian/rules.
+ .
+ Repackaged upstream sources are sometimes created on accident when using
+ an old version of dh_make or using dh_make's --createorig without need.
+ .
+ For futher reference see "Best practices for orig.tar.gz files" in the
+ developers' reference.
+
+Tag: empty-upstream-source
+Type: error
+Info: The .orig.tar.gz file is empty.
Index: checks/upstreamtar
===================================================================
--- checks/upstreamtar	(Revision 0)
+++ checks/upstreamtar	(Revision 0)
@@ -0,0 +1,141 @@
+# upstreamtar -- lintian check script -*- perl -*-
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, you can find it on the World Wide
+# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+# MA 02110-1301, USA.
+
+package Lintian::upstreamtar;
+use strict;
+
+use Dep;
+use Tags;
+use Util;
+
+use Cwd;
+use File::Find;
+use File::Basename;
+
+my $pkg;
+
+sub run {
+
+	$pkg = shift;
+	my $type = shift;
+
+	open (VERSION, '<', "fields/version")
+		or fail("cannot open fields/version: $!");
+	chomp(my $version = <VERSION>);
+	close VERSION;
+
+	(@_ = _valid_version($version)) or exit 0;
+	my ($epoch, $upstream, $debian) = @_;
+
+	unless (defined $debian) {return 1};
+
+# TODO: try to extract guess upstream version to see if anything
+# like ds dfsg was added and warn if .orig.tar does not contain a
+# package.orig directory then later.
+
+	my $repackaged = check_repackaged($pkg, $upstream);
+
+	unless( defined($repackaged) ) {
+		return 1;
+	}
+
+# check contents of copyright file
+
+	if ($repackaged && read_copyright_file() !~ m,repackaged,) {
+		tag "repackaged-source-not-advertised";
+	}
+
+	if (-l "debfiles/rules") {
+		return 1 unless -f "debfiles/rules";
+	}
+
+	my $has_get_orig_source = check_get_orig_source();
+
+	if ($repackaged && !$has_get_orig_source ) {
+		tag "repackaged-source-without-get-orig-source";
+	}
+
+	return 1;
+} # </run>
+
+# -----------------------------------
+
+sub read_copyright_file {
+	open(IN, '<', "debfiles/copyright") or fail("cannot open copyright file copyright: $!");
+# gulp whole file
+	local $/ = undef;
+	$_ = <IN>;
+	close(IN);
+	return $_;
+}
+
+sub check_get_orig_source {
+	open(IN, '<', 'debfiles/rules') or fail("Failed opening rules: $!");
+	while( <IN> ) {
+		if (/^get-orig-source:/) {
+			return 1;
+		}
+		# Assume get-orig-source is in some included file, if it is
+		# marked as phony
+		if (/^.PHONY: .* get-orig-source\b/) {
+			return 1;
+		}
+	}
+	close(IN);
+	return 0;
+}
+
+# Check if the .orig.tar.gz contaisn 
+sub check_repackaged {
+	my ($pkg, $upstream) = @_;
+	my $repackaged = undef;
+
+	open(LIST, '<', "tarfilelist") or return undef;
+	local $_;
+	while (<LIST>) {
+		s,^\./,,;
+		next if /^$/;
+		if ($_ =~ m(^$pkg[^/]*\.orig/)) {
+			$repackaged = 1;
+		} else {
+			$repackaged = 0;
+		}
+		last;
+	}
+	close(LIST) or fail("error reading tarfilelist file: $!");
+	unless (defined($repackaged)) {
+		tag "empty-upstream-source";
+	}
+	return $repackaged;
+}
+
+sub _valid_version {
+	my $ver = shift;
+
+# epoch check means nothing here... This check is only useful to detect
+# weird characters in version (and to get the debian revision)
+	if ($ver =~ m/^(\d+:)?([-\.+:~A-Z0-9]+?)(-[\.+~A-Z0-9]+)?$/i) {
+		return ($1, $2, $3);
+	} else {
+		return ();
+	}
+}
+
+
+1;
+# vim: syntax=perl sw=4 ts=4 noet shiftround
Index: collection/tarfilelist
===================================================================
--- collection/tarfilelist	(Revision 0)
+++ collection/tarfilelist	(Revision 0)
@@ -0,0 +1,85 @@
+#!/usr/bin/perl -w
+# tarfilelist -- lintian collection script for source packages
+
+# Copyright (C) 2008 Bernhard R. Link
+# based on diffstat, which is:
+# Copyright (C) 1998 Richard Braakman
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, you can find it on the World Wide
+# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+# MA 02110-1301, USA.
+
+use strict;
+
+my $LINTIAN_ROOT = $ENV{'LINTIAN_ROOT'} || '/usr/share/lintian';
+
+($#ARGV == 1) or fail("syntax: tarfilelist <pkg>");
+my $pkg = shift;
+
+-f "fields/version" or fail("tarfilelist invoked in wrong directory");
+
+open (V, '<', "fields/version") or fail("cannot open fields/version: $!");
+my $ver = <V>; chomp $ver;
+close V;
+
+(@_ = _valid_version($ver)) or exit 0;
+my ($epoch, $upstream, $debian) = @_;
+unless (defined($debian)) {
+       exit 0
+}
+
+my $tar_file = "${pkg}_${upstream}.orig.tar.gz";
+unless (-f $tar_file ) {
+	$tar_file = "${pkg}_${upstream}.orig.tar.bz2";
+}
+unless (-f $tar_file ) {
+	$tar_file = "${pkg}_${upstream}.orig.tar.lzma";
+}
+unless (-f $tar_file) {
+	exit 0;
+}
+
+use lib "$ENV{'LINTIAN_ROOT'}/lib";
+use Pipeline;
+pipeline((sub { exec('tar', '-tf', $tar_file); }),
+         "tarfilelist"
+        );
+
+exit 0;
+
+# -----------------------------------
+
+sub fail {
+    if ($_[0]) {
+        print STDERR "internal error: $_[0]\n";
+    } elsif ($!) {
+        print STDERR "internal error: $!\n";
+    } else {
+        print STDERR "internal error.\n";
+    }
+    exit 1;
+}
+
+sub _valid_version {
+	my $ver = shift;
+
+	# epoch check means nothing here... This check is only useful to detect
+	# weird characters in version (and to get the debian revision)
+	if ($ver =~ m/^(\d+:)?([-\.+:~A-Z0-9]+?)(-[\.+~A-Z0-9]+)?$/i) {
+		return ($1, $2, $3);
+	} else {
+		return ();
+	}
+}

Eigenschaftsänderungen: collection/tarfilelist
___________________________________________________________________
Name: svn:executable
   + *

Index: collection/tarfilelist.desc
===================================================================
--- collection/tarfilelist.desc	(Revision 0)
+++ collection/tarfilelist.desc	(Revision 0)
@@ -0,0 +1,7 @@
+Collector-Script: tarfilelist
+Author: Bernhard R. Link <brlink@debian.org>
+Info: Generate a list of files in the .orig.tar.gz
+Type: source
+Unpack-Level: 1
+Output: tarfilelist
+Order: 1

--- End Message ---
--- Begin Message ---
Source: lintian
Source-Version: 2.42.0

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 471537@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 19 Dec 2019 12:01:30 +0000
Source: lintian
Architecture: source
Version: 2.42.0
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 33486 471537 546525 635068 796352 892127 907727 929429 929434 929435 929436 946471 946763
Changes:
 lintian (2.42.0) unstable; urgency=medium
 .
   [ Felix Lechner ]
   * Add new checks to identify and notify about issues in upstream
     signatures. (Closes: #929429, #929434, #929435, #929436)
   * Do not consider manpages from related packages when looking for
     manpages without executables. (Closes: #946471)
   * Add a new check for unsafe mailcap entries. (Closes: #33486)
   * Add new Fortran checks to validate module versions and
     prerequisites. (Closes: #796352)
   * Add new checks for empty upstream sources and for when repackaged
     sources are not properly advertised as such. (Closes: #471537)
   * Drop the source-contains-empty-directory tag as it was mostly ignored.
     (Closes: #907727)
   * Remove the bogus service-key-has-whitespace tag. (Closes: #946763)
   * Check TrueType and OpenType fonts for licensing terms.
     (Closes: #635068)
   * Allow "boolean false" directory components in link targets.
     (Closes: #892127)
   * Add a new tag for consistent maintainer fields between changes and
     source processables. (Closes: #546525)
   * Add a new no-dh-sequencer tag to be issued when the debhelper(7) dh(1)
     sequencer is not used.
 .
   [ Guido Günther ]
   * Update the PureOS distribution names in the "vendor" configuration.
 .
   [ Louis-Philippe Véronneau ]
   * Ensure proper VCS location for Debian Python Module Team and Debian
     Python Application Team packages.
Checksums-Sha1:
 f1ed7ac12129ac517705352c3ba1f19864fbc8c9 4101 lintian_2.42.0.dsc
 cdf18f0edfc99dcea694a1ec3c5d9c29fa10f5fd 1863732 lintian_2.42.0.tar.xz
 b4f494cbe36c00ec6986974a80eaa7c06edfa173 17093 lintian_2.42.0_amd64.buildinfo
Checksums-Sha256:
 64cecdede23147d2ed64b8be4d26719c5864566b198a54db9e86b0a51a83ba42 4101 lintian_2.42.0.dsc
 a7d87722f7655f02f52e9dacbe89a9d06f3e627477e4b1909788b721da303542 1863732 lintian_2.42.0.tar.xz
 55c5d539128db032156848094b13c6150fa475f3fd88b2b8261e68fd28808924 17093 lintian_2.42.0_amd64.buildinfo
Files:
 3d59d95528554e9a600f327b119ce7c3 4101 devel optional lintian_2.42.0.dsc
 b83304938a0cfea28ec954c8291590c0 1863732 devel optional lintian_2.42.0.tar.xz
 028b77ccc1cc789d2659bdd0cde6f362 17093 devel optional lintian_2.42.0_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl37nM4ACgkQHpU+J9Qx
Hlhptw/9EyvgZt+srER2fEKKQfNscJqrsm9k5phO/qODANWytmW4BNYfyURZ8XU0
4y/DKRuP9O5YfPJxBpdI208HZEPVqsApwCSHErSug2InCv6zRWRXGDO4ODsEs0bB
zDpg5VjnMh1ggXNdvWKrbTEi7nvsamcUuKVOgaU1AqH0CpgvTic0g9lBQ7bs191D
4FTEBuY0Y+Aa/rOuE1y9upPvM5a7c+8/qFT1Lua5zO1oWI6mIqCGPLglTs5TXczk
pvbETjDOJhABAEj8Cam9O340iDNYIFsW1RvN+nk+2p+HCHWN9a/7NbuXpubyjAZL
rDOf8zxVZ+V08+ivVz5kugIkgVnOqno7T1P1zHfsFNh2iwfhm0ZokGyLhaiB5iNm
yBI3Rv+Ms4iXtrbndUZdrvrUaxti6vxda2BKSXqWOMdZW2BMJku5/cd7iQ/0+gLA
lpOeIBf8YKl+jIL+KqPpE6LedUYjhEqqrgkrDpoLktHWalz9nMSXlCAeoL+WHG52
NhnrP0UpeRYqkKMGLQ5IsnR91XhaoFFkqKYu1MItWHvkZppPIc6s8W0nn+dmCzd0
g2hL3mtSJGQpmJp8/cFLq2KCtFNJY8DIaF0VyxPmDuFklc9SqD0/iUXm1j6yNlH3
7UXM7IzCv4ZtdwTEpZfZFwfOJXexo7NVwyjx+XKynRlEXUrOVF8=
=aGY/
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: