Bug#996270: false positive custom-library-search-path

[Felix Lechner <felix.lechner@lease-up.com>]

Control: tags -1 - pending

Hi,

On Tue, Oct 19, 2021 at 4:57 AM Yves-Alexis Perez <corsac@debian.org> wrote:
>
> E: charon-cmd: custom-library-search-path usr/sbin/charon-cmd RUNPATH
> usr/lib/ipsec/

The relevant portion of the old binaries check may not have run for
your package previously. We replaced this code, which was part of a
large check :

-    # rpath is disallowed, except in private directories
-    if (exists $objdump->{RPATH} || exists $objdump->{RUNPATH}) {
-
-        my @rpaths
-          = (keys %{$objdump->{RPATH}}, keys %{$objdump->{RUNPATH}});
-
-        for my $rpath (map {File::Spec->canonpath($_)}@rpaths) {
-
-            my $installable_name = $self->processable->name;
-            my $source_name = $self->processable->source_name;
-
-            my $madir = $self->DEB_HOST_MULTIARCH->{$architecture};
-            return
-              unless length $madir;
-
-            return
-              if $rpath
-              =~
m{^/usr/lib/(?:$madir/)?(?:games/)?(?:\Q$installable_name\E|\Q$source_name\E)(?:/|\z)};
-
-            return
-              if $self->private_directories->{$rpath}
-              && $rpath !~ m{^(?:/usr)?/lib(?:/$madir)?/?\z};
-
-            return
-              if $rpath =~ m{^\$\{?ORIGIN\}?};
-
-            # GHC in Debian uses a scheme for RPATH. (#914873)
-            return
-              if $rpath =~ m{^/usr/lib/ghc/};
-
-            $self->hint('custom-library-search-path', $item, $rpath);
-        }
-    }

with this self-contained file: [1]

+    for my $section (qw{RPATH RUNPATH}) {
+
+        my @rpaths = keys %{$objdump->{$section} // {}};
+
+        my @no_origin = grep { !m{^ \$ \{? ORIGIN \}? }x } @rpaths;
+
+        my @canonical = map { File::Spec->canonpath($_) } @no_origin;
+
+        my @normalized;
+        for my $path (@canonical) {
+
+            $path =~ s{^/}{};
+            $path .= $SLASH
+              unless $path =~ m{/\z};
+
+            push(@normalized, $path);
+        }
+
+        my @custom;
+        for my $folder (@normalized) {
+
+            # for shipped folders, would have to disallow system locations
+            next
+              if any { $folder =~ m{^\Q$_\E} } @{$self->private_folders};
+
+            # GHC in Debian uses a scheme for RPATH (#914873)
+            next
+              if $folder =~ m{^usr/lib/ghc/};
+
+            push(@custom, $folder);
+        }
+
+        $self->hint('custom-library-search-path', $item, $section, $_)
+          for @custom;
+    }

I believe we only disabled the use of /usr/lib/${installable_name} in
favor of /usr/lib/${source_name}. (I think I was unable to find
packages using that exemption.) Is your package affected by that
change?

The commit [2] reduced the nesting depth and the complexity of the
conditionals. It is therefore possible that the relevant portion of
the check did not previously run for your package.

Kind regards
Felix Lechner

[1] https://salsa.debian.org/lintian/lintian/-/blob/master/lib/Lintian/Check/Binaries/Rpath.pm
[2] https://salsa.debian.org/lintian/lintian/-/commit/7a389940a560f556d0e240481f00302499a1fc66