Acknowledgement sent
to Dmitry Bogatov <KAction@debian.org>:
New Bug report received and forwarded. Copy sent to KAction@debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>.
(Sun, 09 Dec 2018 13:03:04 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lintian: Please check for references to build directory
Date: Sun, 09 Dec 2018 13:00:35 +0000
Package: lintian
Version: 2.5.116
Severity: wishlist
Dear Maintainer,
please add check, that files in binary packages do not refer to build
directory. See (#915511) for example.
I believe the following strings should raise warning:
/build/{name}
/build/{name}-{version}
$PWD
Added tag(s) moreinfo.
Request was from Chris Lamb <lamby@debian.org>
to control@bugs.debian.org.
(Sun, 09 Dec 2018 21:51:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>: Bug#916021; Package lintian.
(Sun, 09 Dec 2018 22:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>.
(Sun, 09 Dec 2018 22:09:02 GMT) (full text, mbox, link).
To: Dmitry Bogatov <KAction@debian.org>, 916021@bugs.debian.org
Cc: rb-general@lists.reproducible-builds.org
Subject: Re: Bug#916021: lintian: Please check for references to build directory
Date: Sun, 09 Dec 2018 23:07:39 +0100
tags 916021 + moreinfo
thanks
[Adding rb-general@lists.reproducible-builds.org to CC]
> please add check, that files in binary packages do not refer to build
> directory. See (#915511) for example.
This seems like it would have quite the overlap with reproducible
builds in that we are essentially checking for this already there.
Also related is the fairly new "uses-dpkg-database-directly" tag that
essentially looks for instances of "/var/lib/dpkg":
https://lintian.debian.org/tags/uses-dpkg-database-directly.html
> I believe the following strings should raise warning:
>
> /build/{name}
> /build/{name}-{version}
Unfortunately, these are surely buildd-specific and, for example,
would not catch problem on my local setup (/tmp/buildd as it
happens…).
I think a somewhat more reliable approach would be called for here.
Suggestions welcome.
> $PWD
Do you mean the literal string "$PWD"? If so, there is surely nothing
errant with a script in /usr/bin along the lines of:
#!/bin/sh
echo "$PWD"
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>: Bug#916021; Package lintian.
(Mon, 10 Dec 2018 20:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Dmitry Bogatov <KAction@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>.
(Mon, 10 Dec 2018 20:15:07 GMT) (full text, mbox, link).
Subject: Re: Bug#916021: lintian: Please check for references to build directory
Date: Mon, 10 Dec 2018 19:49:54 +0000
[2018-12-09 22:46] Chris Lamb <lamby@debian.org>
> [Adding rb-general@lists.reproducible-builds.org to CC]
>
> > please add check, that files in binary packages do not refer to build
> > directory. See (#915511) for example. ($PWD)
>
> Do you mean the literal string "$PWD"?
No, I meant another thing.
I believe, most of us keep repositories of git packages somewhere under
~/. For example, for me, ucspi-tcp package is located at
/home/iu/devel/salsa/ucspi-tcp.
So my workflow is following:
$ cd /home/iu/devel/salsa/ucspi-tcp
$ dpkg-buildpackage -us -uc
$ lintian
And here lintian could check, that generated binary packages does not
contains references to /home/iu/devel/salsa/ucspi-tcp.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>: Bug#916021; Package lintian.
(Tue, 11 Dec 2018 07:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>.
(Tue, 11 Dec 2018 07:33:04 GMT) (full text, mbox, link).
To: Dmitry Bogatov <KAction@debian.org>, 916021@bugs.debian.org
Subject: Re: Bug#916021: lintian: Please check for references to build directory
Date: Tue, 11 Dec 2018 08:26:51 +0100
Hi Dmitry,
> $ cd /home/iu/devel/salsa/ucspi-tcp
> $ dpkg-buildpackage -us -uc
> $ lintian
>
> And here lintian could check, that generated binary packages does not
> contains references to /home/iu/devel/salsa/ucspi-tcp.
Alas, I don't think the output of Lintian should ever change depending
on what directory you run it from!
Not only would this be highly misleading as a user-interface it would
also have false positives if you ran it on a previously built package
or — just being silly for a second — from "/".
However, we could trust the "Build-Path" field in a .buildinfo if it
exists? Would that work for you? I assume yours contains:
Build-Path: /home/iu/devel/salsa/ucscpi-tcp"?
(You may need to pass --buildinfo-option=--always-include-path to
dpkg-buildpackage.)
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>: Bug#916021; Package lintian.
(Tue, 11 Dec 2018 09:06:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Shahaf <danielsh@apache.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>.
(Tue, 11 Dec 2018 09:06:10 GMT) (full text, mbox, link).
Subject: Re: [rb-general] Bug#916021: lintian: Please check for references to
build directory
Date: Tue, 11 Dec 2018 09:04:06 +0000
[fixing bug's address in Cc]
Dmitry Bogatov wrote on Mon, 10 Dec 2018 19:49 +0000:
> I believe, most of us keep repositories of git packages somewhere under
> ~/. For example, for me, ucspi-tcp package is located at
> /home/iu/devel/salsa/ucspi-tcp.
>
> So my workflow is following:
>
> $ cd /home/iu/devel/salsa/ucspi-tcp
> $ dpkg-buildpackage -us -uc
> $ lintian
>
> And here lintian could check, that generated binary packages does not
> contains references to /home/iu/devel/salsa/ucspi-tcp.
So what's the rule? Lintian should check that the current working
directory lintian runs from doesn't appear in the build output?
This will false positive if lintian is run from the root directory, and
also going to make lintian's own output dependent on the phase of the
moon, in that
.
% lintian ../build-outputs/foo.deb
.
and
.
% cd ../build-outputs
% lintian foo.deb
.
would produce different outputs. I would say that's undesirable.
(This isn't a made-up example; 'pdebuild -- --buildresult=../build-outputs/'
— that's a verbatim dot-dot meaning the parent directory, not an
ellipsis — is part of my regular workflow.)
However, the buildinfo file already includes the build directory
in the Build-Path header. Would it be sensible for Lintian to check
that the value of the buildinfo "Build-Path" header doesn't appear in
the .deb's?
Cheers,
Daniel
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>: Bug#916021; Package lintian.
(Wed, 12 Dec 2018 19:42:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Dmitry Bogatov <KAction@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>.
(Wed, 12 Dec 2018 19:42:08 GMT) (full text, mbox, link).
Subject: Re: Bug#916021: lintian: Please check for references to build directory
Date: Wed, 12 Dec 2018 19:39:44 +0000
[2018-12-11 08:26] Chris Lamb <lamby@debian.org>
> [...]
> However, we could trust the "Build-Path" field in a .buildinfo if it
> exists? Would that work for you? I assume yours contains:
>
> Build-Path: /home/iu/devel/salsa/ucscpi-tcp"?
>
> (You may need to pass --buildinfo-option=--always-include-path to
> dpkg-buildpackage.)
Sounds reasonable. I like it.
Message sent on
to Dmitry Bogatov <KAction@debian.org>:
Bug#916021.
(Thu, 13 Dec 2018 15:09:02 GMT) (full text, mbox, link).
Control: tag -1 pending
Hello,
Bug #916021 in lintian reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/lintian/lintian/commit/4aaab6b1c5dd2f4e6da498d15713180e4aa68c76
------------------------------------------------------------------------
Check files for references to the build path if specified in a .buildinfo. (Closes: #916021
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/916021
Added tag(s) pending.
Request was from Chris Lamb <lamby@debian.org>
to 916021-submitter@bugs.debian.org.
(Thu, 13 Dec 2018 15:09:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>: Bug#916021; Package lintian.
(Thu, 13 Dec 2018 15:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>.
(Thu, 13 Dec 2018 15:18:03 GMT) (full text, mbox, link).
Source: lintian
Source-Version: 2.5.117
We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 916021@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated lintian package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 14 Dec 2018 17:56:27 +0000
Source: lintian
Binary: lintian
Architecture: source all
Version: 2.5.117
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
lintian - Debian package checker
Closes: 916021916023916087916207
Changes:
lintian (2.5.117) unstable; urgency=medium
.
* Summary of tag changes:
+ Added:
- file-references-package-build-path
.
* checks/files.pm:
+ [CL] Don't emit uses-dpkg-database-directly for d-i components; they
likely know what they are doing with no alternatives.
+ [CL] Use the output from file(1) when determining whether to emit
the package-contains-no-arch-dependent-files tag to catch packages
that ship (for example) just a Python script under /usr/bin in an
architecture-dependent package. This reverts 6f4bd2fee2 in order to
distinguish between "data" and such scripts. Thanks to Dmitry
Bogatov for investigating. (Closes: #916023)
+ [CL] Refactor, tidy and optimise various checks for the contents of
files.
+ [CL] Check files for references to the build path if specified in a
.buildinfo. (Closes: #916021
* checks/shared-libs.desc:
+ [CL] Clarify that symbols-file-missing-build-depends-package-field is
emitted per-package in its long description, not based on a file.
* checks/systemd.pm:
+ [CL] Don't emit systemd-service-file-missing-hardening-features for
Type=oneshot "services" such as mdadm(8).
* checks/watch-file.desc:
+ [CL] Correct grammar of the debian-watch-does-not-check-gpg-signature
tag description.
+ [CL] Mark debian-watch-does-not-check-gpg-signature as "experimental"
as it is not actionable in the vast majority of cases and is in
danger of diluting the output of Lintian. (Closes: #916207)
.
* data/spelling/corrections:
+ [PW] Add a number of corrections.
.
* t/*:
+ [CL] Apply a patch series from Felix Lechner to use "skeletons" as
test templates, fixing a "exec failed: Text file busy" regression
when running tests by tag name. (Closes: #916087)
+ [CL] Apply a patch series from Felix Lechner to improve the
"onlyrun=" test selection feature. One can now select all tests
connected to particular Lintian check with "check:foo". (MR: !90)
+ [CL] Apply a patch set from Felix Lechner to sign test packages.
when a upstream/private-key.asc is present. (MR: !93)
Checksums-Sha1:
0398c35e03fceac5f8de4268f5091f6b5bdfd7c3 3625 lintian_2.5.117.dsc
25d25b87771aae7d6f944e75f3cc75e4271f2202 1622804 lintian_2.5.117.tar.xz
407107338c832d83f875f62881b065d317d8d7b8 1170904 lintian_2.5.117_all.deb
70e9c2d3d060320ebb7a8c8f2bdff29fcbf7a87f 17600 lintian_2.5.117_amd64.buildinfo
Checksums-Sha256:
050a814cb334d1c5d0ee80e97be29948951095c1b27bb9209c31d87d865e4eec 3625 lintian_2.5.117.dsc
9dd665703c6af57557447dcf5a9e8aa5acd159eeb7cd6f3de49b0d72d7a884b7 1622804 lintian_2.5.117.tar.xz
51057fecea6ab6896d7b25ceb37eca596d3ad32ea0ed84aef7d707a348ae9096 1170904 lintian_2.5.117_all.deb
df48b9e72dcfb7a8b744fa04918eacba17c9d98eb2c4fa6beb89fb6ee7d8dad8 17600 lintian_2.5.117_amd64.buildinfo
Files:
59d7c6714f23579ef8277f9f680bff8b 3625 devel optional lintian_2.5.117.dsc
6ba7b8521f344c3c45c7a098adbbfd77 1622804 devel optional lintian_2.5.117.tar.xz
ec10d9e6b8c66d5a0cfed78e1a68b3ad 1170904 devel optional lintian_2.5.117_all.deb
f113c2d2ecd305f19627fbe86d0aa261 17600 devel optional lintian_2.5.117_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlwT96oACgkQHpU+J9Qx
HlgGWw//Tu98cYz4hhnEjbf6EIuujq3OA0BCiTe957/I+LG28BrPZCvhEsO2xplc
svVOhhXQaRuRMfmVmckanGXcG8lX5+7qdGCAUpLbJt3DnDH5dE79l4XlHwlMmIqp
+mdKfoHfw7PK+PlAGI/85qRVaX81FYsU4HTjcoA18njboV3KF+SM3s5twkD0QKyy
EeICO1qxPAXEkQx6eu8DarbIjSnjIgy1fD+GNSooWEKLypmnwBNr0IkMD6OIBsCS
mutw3nt/s/Up7BtBr9DPrC4umucXZwuBxqI2dVmyAcRZ7wu3Gn1Esltz38AG5PuS
82haitrVuC8hr9RvQKYuJyYKbl/1TuSkUx/UAatSk9UZmUI9uUsGQlxZqmx4HgPY
gw/7gbjnuFQ5LCn5qGMH7FqZ6jxaTiEOg1GNoJahwXOUa52dLiQuB//W4h3BN4kH
H3WfSpenluZgbseSgj2f/P/ysVmP4t/1H+oWC4nns91rWJ1u6QqZ3K3rM+Qc6yS3
DMBJEihu8EWZdNhLKmon0neSFYMvSdI/SSYNixcW6VikVsuz0Jre0Bq/nB3Exj1u
Yes0T73oBAYEW+y1pEbV0lHgz9b7+XKZSJE70MBrA8eeuLXca1LNm8ld+f+xvHLA
+NNpiO/pLmnRsBWNHljJsNu8TqEcCubm6vKx0+OZhg3pzIu7ABk=
=nbHR
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>: Bug#916021; Package lintian.
(Sun, 16 Dec 2018 07:45:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Dmitry Bogatov <KAction@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>.
(Sun, 16 Dec 2018 07:45:15 GMT) (full text, mbox, link).
Subject: Re: lintian: Please check for references to build directory
Date: Sun, 16 Dec 2018 07:41:30 +0000
[2018-12-13 16:14] Chris Lamb <lamby@debian.org>
> Fixed in Git, pending upload:
>
> https://salsa.debian.org/lintian/lintian/commit/4aaab6b1c5dd2f4e6da498d15713180e4aa68c76
Severity: wishlist
Certanity: possible
What about excluding some trivial build paths, like "/" or "/build", which
are too short to be useful, and raise both Certanity=certain
and Severity=Error?
PS. Any chance to configure your fine gitlab auto-notifier to send
not only diffstat, but whole diff too?
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>: Bug#916021; Package lintian.
(Wed, 19 Dec 2018 19:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>.
(Wed, 19 Dec 2018 19:51:07 GMT) (full text, mbox, link).
Subject: Re: lintian: Please check for references to build directory
Date: Wed, 19 Dec 2018 20:46:41 +0100
Hi Dmitry,
> PS. Any chance to configure your fine gitlab auto-notifier to send
> not only diffstat, but whole diff too?
I used to do this manually but it was a bit annoying and sometimes far
too long.
The new gitlab auto-notifier is not maintainer by me, but the source
is indeed in Salsa if you wish to suggest improvements. :)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>: Bug#916021; Package lintian.
(Thu, 20 Dec 2018 18:06:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Dmitry Bogatov <KAction@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>.
(Thu, 20 Dec 2018 18:06:13 GMT) (full text, mbox, link).
Subject: Re: lintian: Please check for references to build directory
Date: Thu, 20 Dec 2018 18:02:41 +0000
[2018-12-19 20:46] Chris Lamb <lamby@debian.org>
> Hi Dmitry,
>
> > PS. Any chance to configure your fine gitlab auto-notifier to send
> > not only diffstat, but whole diff too?
>
> I used to do this manually but it was a bit annoying and sometimes far
> too long.
>
> The new gitlab auto-notifier is not maintainer by me, but the source
> is indeed in Salsa if you wish to suggest improvements. :)
Could you provide a link, please?
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>: Bug#916021; Package lintian.
(Thu, 20 Dec 2018 19:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>.
(Thu, 20 Dec 2018 19:21:03 GMT) (full text, mbox, link).
Subject: Re: lintian: Please check for references to build directory
Date: Thu, 20 Dec 2018 20:20:20 +0100
Dmitry,
> > The new gitlab auto-notifier is not maintainer by me, but the source
> > is indeed in Salsa if you wish to suggest improvements.
>
> Could you provide a link, please?
https://salsa.debian.org/salsa/salsa-webhook
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 18 Jan 2019 07:26:27 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.