[opensuse-packaging] rpmlint status update
Hi, Heads up and status update from the rpmlint front. rpmlint will soon be updated to version 1.2 in Factory. It brings one check that could turn out to be annoying: 'incorrect-fsf-address' warns about outdated or misspelled fsf addresses in files. That's usually something for upstream to fix. We'll see how many packages it catches. A new SUSE specific check warns about init scripts for runlevel 4. That runlevel is supposed to be admin defined so distro packages should not use it. Just remove the '4' from 'Default-Start'. The /var/run check got accepted upstream as non-ghost-in-var-run (was dir-or-file-in-var-run before). I plan to mark that check fatal in near the future as aaa_base now actually mounts tmpfs on /var/run so anything in there must be created at run time. You need to create files in /var/run at run time and mark them as %ghost in the package. Similarly 'non-ghost-in-var-lock' was introduced as /var/lock may use tmpfs too in the future. Packages should actually not use /var/lock at all. It's supposed to be only used for legacy device lock files (e.g. LCK..ttyS0). The new check 'non-position-independent-executable' is a port of prp-pie which in turn got dropped. All setuid binaries as well as network facing daemons should be compiled as position independent executables to make exploits more difficult. The list of binaries where this applies is manually maintained. So if anything is missing please let us know. Additionally we now have the possibility to make certain checks no longer filterable via package specific rpmlintrc. Initially that will be used for mandatory security checks. The shared library packaging policy is probably the next. If you are hit by this outside of Factory you can still get your package to build by setting the badness to zero¹ cu Ludwig [1] http://en.opensuse.org/openSUSE:Packaging_checks#Disarming_Fatal_Errors -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
On 05/20/2011 01:39 PM, Ludwig Nussel wrote:
rpmlint will soon be updated to version 1.2 in Factory. It brings one check that could turn out to be annoying: 'incorrect-fsf-address' warns about outdated or misspelled fsf addresses in files. That's usually something for upstream to fix. We'll see how many packages it catches.
I've been using licensecheck on all my packages and AFAIR they all have "(with incorrect FSF address)" and lot's of them. Hopefully it doesn't report every file header because, in some cases, it will have an output equal to the entire build log. Regards Dave P -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
On 05/20/2011 01:39 PM, Ludwig Nussel wrote:
Hi,
Heads up and status update from the rpmlint front.
rpmlint will soon be updated to version 1.2 in Factory. It brings one check that could turn out to be annoying: 'incorrect-fsf-address' warns about outdated or misspelled fsf addresses in files. That's usually something for upstream to fix. We'll see how many packages it catches.
A new SUSE specific check warns about init scripts for runlevel 4. That runlevel is supposed to be admin defined so distro packages should not use it. Just remove the '4' from 'Default-Start'.
The /var/run check got accepted upstream as non-ghost-in-var-run (was dir-or-file-in-var-run before). I plan to mark that check fatal in near the future as aaa_base now actually mounts tmpfs on /var/run so anything in there must be created at run time. You need to create files in /var/run at run time and mark them as %ghost in the package.
Similarly 'non-ghost-in-var-lock' was introduced as /var/lock may use tmpfs too in the future. Packages should actually not use /var/lock at all. It's supposed to be only used for legacy device lock files (e.g. LCK..ttyS0).
The new check 'non-position-independent-executable' is a port of prp-pie which in turn got dropped. All setuid binaries as well as network facing daemons should be compiled as position independent executables to make exploits more difficult. The list of binaries where this applies is manually maintained. So if anything is missing please let us know.
Additionally we now have the possibility to make certain checks no longer filterable via package specific rpmlintrc. Initially that will be used for mandatory security checks. The shared library packaging policy is probably the next. If you are hit by this outside of Factory you can still get your package to build by setting the badness to zero¹
cu Ludwig
[1] http://en.opensuse.org/openSUSE:Packaging_checks#Disarming_Fatal_Errors
Just encountered the first error, it is caused by old GPLv2 licenses with an old fsf address. I've downloaded the license from gnu.org and added it as a replacement. Dave P -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org
participants (2)
-
Dave Plater -
Ludwig Nussel