Bug#962927: lintian: detect when a package will be uploaded with a new maintainer but without any changes
Package: lintian Severity: wishlist Recently I noticed a package enter Debian with a changelog something like below. The only other change to the package was in the Maintainer field in debian/control. Rebuilds that only change the maintainer are a waste of buildd time, mirror sync bandwith and snapshot.d.o disk space and should be discouraged. It would be nice if lintian could detect these sort of uploads and have them rejected. Probably the check should work by matching the latest Debian changelog entry against the template below, allowing for inclusion or not of the bug closing and allowing for varying source package name, version, suite (unstable & experimental), uploader and date. something (1.2.3-4) unstable; urgency=medium * New maintainer. (Closes: #123456) -- Some One Sat, 16 Jun 2020 11:51:11 +0800 -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#953554: Please permit Debian revisions with 1.0 native packages [and 1 more messages]
Hi Sean, On Mon, Jun 15, 2020 at 5:18 PM Sean Whitton wrote: > > As > discussion is ongoing in the context of Lintian, that seems premature, > however. The Lintian discussion was merged into a bug Guillem had filed to further enshrine the division between native and non-native packages Bug#944155 was about reminding maintainers to use a hyphen, or not. Based on your note, however, Lintian will stop warning about such version mismatches. Perhaps it will gradually pave the way for a constructive policy debate. Thanks! > So I think we can close the clone of this bug against Policy for now. Totally agree, for now. Kind regards Felix Lechner
Bug#953554: Please permit Debian revisions with 1.0 native packages [and 1 more messages]
Hello,
On Wed 11 Mar 2020 at 12:30PM GMT, Ian Jackson wrote:
> Felix Lechner writes ("Re: Bug#953554: Please permit Debian revisions with
> 1.0 native packages [and 1 more messages]"):
>> On Wed, Mar 11, 2020 at 4:58 AM Ian Jackson
>> wrote:
>> >
>> > It works today. The only problem is the lintian warning.
>>
>> Doesn't policy stand in the way too?
> ...
>> Is it permitted now? Policy 3.2.1 states "hyphen (-) cannot be used in
>> native package versions."
I believe that the relevant sentence of Policy, added in policy.git
commit eee39aecef3a6a5f9927211b5c847e645e927cbd, was intended to be
informative, not normative. It does not use one of the Policy normative
magic words, is not in the subsection in which it would be natural to
place such a restriction, and occurs in a "hey, don't forget that ..."
clause.
Thus the only Policy issue here could be the addition of an explicit
permission to use Debian revisions with 1.0 native packages. As
discussion is ongoing in the context of Lintian, that seems premature,
however.
So I think we can close the clone of this bug against Policy for now.
--
Sean Whitton
Re: Reassigning multiple bugs for shell script analysis from Lintian
On Mon, 2020-06-15 at 12:30 -0700, Felix Lechner wrote: > Over the years, Lintian accumulated many requests for features better > addressed by a shell script analyzer. If there are no objections, I > plan to assign them a copy each to morbig and shellcheck. Some caveats that make this not as feasible as you might think: morbig is in OCaml and shellcheck is in Haskell, which means that there are fewer people available to work on these tools. It seems likely that some of the features requested are Debian-specific so shellcheck is unlikely to implement them. It also seems unlikely shellcheck would add a bridge between Haskell and Perl of the kind needed to implement custom checks. I'm not sure of the development status of morbig, does it still have funding Ralf? It seems development has stopped since last year. lintshell is just a prototype, it has very few checks. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
the safety of commands run by lintian
Hi all, I discussed the safety of `dash -n` and `bash -n` with Jakub Wilk. These are used by lintian to check for bashisms. We concluded that it was possibly unsafe to use the -n option with arbitrary scripts. TBH I expect that other tools (such as binutils, see the thread below) run by lintian are similarly unsafe and I wonder if the ftp-master profile should be hardened such that it does not run any commands external to lintian and its Perl library dependencies. The alternative might be for ftp-master to run lintian on a VM or an external machine. I have a vague recollection that you mentioned that `sh -n` is unsafe in some situations. today I learned that lintian uses that to check for bashisms <_jwilk> I have this vague recollection too. I don't remember the details ATM. <_jwilk> I've found this in my IRC logs: https://lists.debian.org/87lfqriagj@mid.deneb.enyo.de <_jwilk> I fuzzed "bash -n" and "dash -n" in the past and found memory safety bug in both. <_jwilk> #878697 could probably be exploited for code execution. <_jwilk> There's also #858288, but I don't think anyone combines -n with -c. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Processed: Re: Bug#909267: library-not-linked-against-libc: downgrade from error
Processing control commands: > forcemerge 896012 909267 Bug #896012 [lintian] lintian: Remove tag library-not-linked-against-libc Bug #909267 [lintian] library-not-linked-against-libc: downgrade from error Severity set to 'normal' from 'wishlist' Bug #896012 [lintian] lintian: Remove tag library-not-linked-against-libc Added tag(s) moreinfo. Merged 896012 909267 -- 896012: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896012 909267: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909267 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#909267: library-not-linked-against-libc: downgrade from error
Control: forcemerge 896012 909267 Hi Russ, > I wonder if we would get all of the utility out of the tag if instead it > looked for shared libraries with no NEEDED metadata. I think it's only > catching libraries that aren't linked with anything else, so maybe just > check for that explicitly? That is a super creative suggestion! However, nothing may be wrong with those libraries. We seem to ship quite a few [1]. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896012#38 > My recollection is that Simon is correct and we added this tag to try to > find shared libraries that weren't linked to any of their dependencies. I don't believe Lintian can do something like that. As described in the merged bug [2], I think we need a portfolio-wide dependency tracker. [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896012#31 This tag will be removed in the near future. Kind regards Felix Lechner
Processed: reassign 909267 to lintian
Processing commands for cont...@bugs.debian.org: > reassign 909267 lintian Bug #909267 [src:lintian] library-not-linked-against-libc: downgrade from error Bug reassigned from package 'src:lintian' to 'lintian'. No longer marked as found in versions lintian/2.5.103. Ignoring request to alter fixed versions of bug #909267 to the same values previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 909267: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909267 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Reassigning multiple bugs for shell script analysis from Lintian
Hi, Over the years, Lintian accumulated many requests for features better addressed by a shell script analyzer. If there are no objections, I plan to assign them a copy each to morbig and shellcheck. Many of the bugs are blocked by Bug#629247, so that's a good place to start. Lintian will only keep the master bug. It is entitled: "Please use a decent shell script parser." We look forward to enhancing our user experience with your programs. Please let us know your thoughts and make sure to copy Paul Wise. Thanks! Kind regards Felix Lechner
Processed: Bug#243158 marked as pending in lintian
Processing control commands: > tag -1 pending Bug #243158 [lintian] lintian: Warn if the target of a symlink in /usr/lib is not in subdir Added tag(s) pending. -- 243158: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=243158 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Zzzzz
Enviado do meu iPhone
Processed: Bug#954459 marked as pending in lintian
Processing control commands: > tag -1 pending Bug #954459 [lintian] lintian: not finding bashims in maintainer scripts when /bin/sh is /bin/bash Added tag(s) pending. -- 954459: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954459 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: retitle 954459 to lintian: not finding bashims in maintainer scripts when /bin/sh is /bin/bash
Processing commands for cont...@bugs.debian.org: > retitle 954459 lintian: not finding bashims in maintainer scripts when > /bin/sh is /bin/bash Bug #954459 [lintian] lintian: maintainer-shell-script-fails-syntax-check requires /bin/sh → !/bin/bash? Changed Bug title to 'lintian: not finding bashims in maintainer scripts when /bin/sh is /bin/bash' from 'lintian: maintainer-shell-script-fails-syntax-check requires /bin/sh → !/bin/bash?'. > thanks Stopping processing here. Please contact me if you need assistance. -- 954459: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954459 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
