commit rpmlint for openSUSE:Factory
Hello community,
here is the log from the commit of package rpmlint for openSUSE:Factory
checked in at Fri Nov 5 16:07:57 CET 2010.
--------
--- rpmlint/rpmlint.changes 2010-10-29 10:01:34.000000000 +0200
+++ rpmlint/rpmlint.changes 2010-11-04 15:20:53.000000000 +0100
@@ -1,0 +2,18 @@
+Thu Nov 4 14:20:41 UTC 2010 - lnussel@suse.de
+
+- enable suse-hide-unstripped-outside-build.diff again
+
+-------------------------------------------------------------------
+Thu Nov 4 13:35:33 UTC 2010 - lnussel@suse.de
+
+- check for file system capabilities
+- check for %verifyscript and %run_permissions
+
+-------------------------------------------------------------------
+Wed Nov 3 10:48:30 CET 2010 - dmueller@suse.de
+
+- update to 1.0:
+ * add support for PEP 3147 when handling python bytecode
+ * various doc improvements
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
rpmlint-0.99.tar.bz2
New:
----
rpmlint-1.0.tar.bz2
rpmlint-fscaps.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rpmlint.spec ++++++
--- /var/tmp/diff_new_pack.DQML6R/_old 2010-11-05 16:04:24.000000000 +0100
+++ /var/tmp/diff_new_pack.DQML6R/_new 2010-11-05 16:04:24.000000000 +0100
@@ -1,5 +1,5 @@
#
-# spec file for package rpmlint (Version 0.99)
+# spec file for package rpmlint (Version 1.0)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -22,8 +22,8 @@
Name: rpmlint
BuildRequires: rpm-python
Summary: Rpm correctness checker
-Version: 0.99
-Release: 5
+Version: 1.0
+Release: 1
Source0: %{name}-%{version}.tar.bz2
Source1: config
Source1001: config.in
@@ -117,6 +117,7 @@
Patch76: confusing-invalid-spec-name.patch
Patch77: rpmlint-pkg-quoting.diff
Patch78: suse-g-ir-chech.diff
+Patch79: rpmlint-fscaps.diff
%py_requires
%description
@@ -148,7 +149,7 @@
%patch13
%patch14
%patch17
-#%patch18
+%patch18
%patch19
%patch20
%patch22
@@ -190,6 +191,7 @@
%patch76 -p1
%patch77
%patch78
+%patch79 -p1
cp -p %{SOURCE1} .
cp -p %{SOURCE2} .
cp -p %{SOURCE3} .
++++++ CheckSUIDPermissions.py ++++++
--- /var/tmp/diff_new_pack.DQML6R/_old 2010-11-05 16:04:25.000000000 +0100
+++ /var/tmp/diff_new_pack.DQML6R/_new 2010-11-05 16:04:25.000000000 +0100
@@ -11,6 +11,7 @@
import re
import os
import string
+import rpm
_permissions_d_whitelist = (
"lprng",
@@ -37,15 +38,34 @@
self._parsefile(file)
def _parsefile(self,file):
+ lnr = 0
+ lastfn = None
for line in open(file):
+ lnr+=1
line = line.split('#')[0].split('\n')[0]
- if len(line):
- line = re.split(r'\s+', line)
+ line = line.lstrip()
+ if not len(line):
+ continue
+
+ if line.startswith("+capabilities "):
+ line = line[len("+capabilities "):]
+ if lastfn:
+ self.perms[lastfn]['fscaps'] = line
+ continue
+
+ line = re.split(r'\s+', line)
+ if len(line) == 3:
fn = line[0]
owner = line[1].replace('.', ':')
mode = line[2]
self.perms[fn] = { "owner" : owner, "mode" : int(mode,8)&07777}
+ # for permissions that don't change and therefore
+ # don't need special handling
+ if file == '/etc/permissions':
+ self.perms[fn]['static'] = True
+ else:
+ print >>sys.stderr, "invalid line %d " % lnr
def check(self, pkg):
global _permissions_d_whitelist
@@ -78,10 +98,16 @@
else:
self._parsefile(f)
+ need_run_permissions = False
# second pass, find permissions violations
for f, pkgfile in files.items():
if f in pkg.ghostFiles():
continue
+
+ if pkgfile.filecaps:
+ printError(pkg, 'permissions-fscaps', '%(file)s has fscaps "%(caps)s"' % \
+ { 'file':f, 'caps':pkgfile.filecaps})
+
mode = pkgfile.mode
owner = pkgfile.user+':'+pkgfile.group
@@ -94,11 +120,14 @@
# S_IFIFO 001 FIFO
type = (mode>>12)&017;
mode &= 07777
+ need_verifyscript = False
if f in self.perms or (type == 04 and f+"/" in self.perms):
if type == 012:
printWarning(pkg, "permissions-symlink", f)
continue
+ need_verifyscript = True
+
m = 0
o = "invalid"
if type == 04:
@@ -124,6 +153,7 @@
printWarning(pkg, 'permissions-file-as-dir', f+' is a file but listed as directory')
if mode&06000:
+ need_verifyscript = True
msg = '%(file)s is packaged with setuid/setgid bits (0%(mode)o)' % { 'file':f, 'mode':mode }
if type != 04:
printError(pkg, 'permissions-file-setuid-bit', msg)
@@ -131,10 +161,29 @@
printWarning(pkg, 'permissions-directory-setuid-bit', msg)
if mode&02:
+ need_verifyscript = True
printError(pkg, 'permissions-world-writable', \
'%(file)s is packaged with world writable permissions (0%(mode)o)' % \
{ 'file':f, 'mode':mode })
+ if need_verifyscript and \
+ (not f in self.perms or not 'static' in self.perms[f]):
+ need_run_permissions = True
+ script = pkg[rpm.RPMTAG_VERIFYSCRIPT] or pkg[rpm.RPMTAG_VERIFYSCRIPTPROG]
+ if not script or not "chkstat -n -e %s"%f in script:
+ printError(pkg, 'permissions-missing-verifyscript', \
+ "missing %%verify_permissions -e %s" % f)
+
+ if need_run_permissions:
+ postin = pkg[rpm.RPMTAG_POSTIN] or pkg[rpm.RPMTAG_POSTINPROG]
+ if not postin or not "SuSEconfig --module permissions" in postin:
+ printError(pkg, 'permissions-missing-postin', \
+ "missing %run_permissions in %post")
+
+ if not 'permissions' in map(lambda x: x[0], pkg.prereq()):
+ printError(pkg, 'permissions-missing-requires', \
+ "missing 'permissions' in PreReq")
+
check=SUIDCheck()
@@ -171,4 +220,15 @@
"""If the package is intended for inclusion in any SUSE product
please open a bug report to request review of the package by the
security team""",
+'permissions-fscaps',
+"""Packaging file capabilities is currently not supported. Please
+use normal permissions instead. You may contact the security team to
+request an entry that sets capabilities in /etc/permissions
+instead.""",
+'permissions-missing-postin',
+"""Please add %run_permissions to %post""",
+'permissions-missing-requires',
+"""Please add \"PreReq: permissions\"""",
+'permissions-missing-verifyscript',
+"""Please add a %verifyscript section""",
)
++++++ rpmlint-0.99.tar.bz2 -> rpmlint-1.0.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-0.99/ChangeLog new/rpmlint-1.0/ChangeLog
--- old/rpmlint-0.99/ChangeLog 2010-08-19 17:49:12.000000000 +0200
+++ new/rpmlint-1.0/ChangeLog 2010-11-01 22:15:40.000000000 +0100
@@ -1,3 +1,31 @@
+2010-11-01 Ville Skyttä
From 1300bf63e4f5e345329b040e3ccd982c02ee35bd Mon Sep 17 00:00:00 2001 From: Ludwig Nussel
Date: Wed, 3 Nov 2010 16:57:00 +0100 Subject: [PATCH] make file capabilities available in PkgFile
--- Pkg.py | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/Pkg.py b/Pkg.py index 73bd0ba..a2c864d 100644 --- a/Pkg.py +++ b/Pkg.py @@ -603,6 +603,10 @@ class Pkg: provides = self.header[rpm.RPMTAG_FILEPROVIDE] files = self.header[rpm.RPMTAG_FILENAMES] magics = self.header[rpm.RPMTAG_FILECLASS] + try: + filecaps = self.header[rpm.RPMTAG_FILECAPS] + except: + filecaps = None # rpm-python < 4.6 does not return a list for this (or FILEDEVICES, # FWIW) for packages containing exactly one file @@ -629,6 +633,8 @@ class Pkg: pkgfile.requires = parse_deps(requires[idx]) pkgfile.provides = parse_deps(provides[idx]) pkgfile.lang = langs[idx] + if filecaps: + pkgfile.filecaps = filecaps[idx] pkgfile.magic = magics[idx] if not pkgfile.magic and _magic: pkgfile.magic = _magic.file(pkgfile.path) @@ -806,6 +812,7 @@ class PkgFile(object): self.provides = [] self.lang = '' self.magic = '' + self.filecaps = None # TODO: decompression support -- 1.7.1 ++++++ suse-hide-unstripped-outside-build.diff ++++++ --- /var/tmp/diff_new_pack.DQML6R/_old 2010-11-05 16:04:26.000000000 +0100 +++ /var/tmp/diff_new_pack.DQML6R/_new 2010-11-05 16:04:26.000000000 +0100 @@ -1,4 +1,6 @@ ---- BinariesCheck.py +Index: BinariesCheck.py +=================================================================== +--- BinariesCheck.py.orig +++ BinariesCheck.py @@ -10,6 +10,7 @@ @@ -8,18 +10,18 @@ import rpm -@@ -283,7 +284,9 @@ +@@ -284,7 +285,9 @@ class BinariesCheck(AbstractCheck.Abstra continue # stripped ? - if 'not stripped' in pkgfile.magic: + if 'not stripped' in pkgfile.magic and \ -+ (os.environ.get('BUILD_DIR', None) == None or -+ os.environ.get('BUILD_DEBUG', None) != None): ++ (os.environ.get('BUILD_DIR', '') == '' or ++ os.environ.get('BUILD_DEBUG', '') != ''): printWarning(pkg, 'unstripped-binary-or-object', fname) # inspect binary file -@@ -580,6 +583,12 @@ +@@ -581,6 +584,12 @@ form, make sure that rpmbuild does not s that use prelink, make sure that prelink does not strip it either, usually by placing a blacklist file in /etc/prelink.conf.d. For more information, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=256900#49''', ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@hilbert.suse.de