Heads up and status update from the rpmlint front.
rpmlint will soon be updated to version 1.2 in Factory. It brings one check that could turn out to be annoying: 'incorrect-fsf-address' warns about outdated or misspelled fsf addresses in files. That's usually something for upstream to fix. We'll see how many packages it catches.
A new SUSE specific check warns about init scripts for runlevel 4. That runlevel is supposed to be admin defined so distro packages should not use it. Just remove the '4' from 'Default-Start'.
The /var/run check got accepted upstream as non-ghost-in-var-run (was dir-or-file-in-var-run before). I plan to mark that check fatal in near the future as aaa_base now actually mounts tmpfs on /var/run so anything in there must be created at run time. You need to create files in /var/run at run time and mark them as %ghost in the package.
Similarly 'non-ghost-in-var-lock' was introduced as /var/lock may use tmpfs too in the future. Packages should actually not use /var/lock at all. It's supposed to be only used for legacy device lock files (e.g. LCK..ttyS0).
The new check 'non-position-independent-executable' is a port of prp-pie which in turn got dropped. All setuid binaries as well as network facing daemons should be compiled as position independent executables to make exploits more difficult. The list of binaries where this applies is manually maintained. So if anything is missing please let us know.
Additionally we now have the possibility to make certain checks no longer filterable via package specific rpmlintrc. Initially that will be used for mandatory security checks. The shared library packaging policy is probably the next. If you are hit by this outside of Factory you can still get your package to build by setting the badness to zero¹