tags 922557 + patch thanks Hi,
> lintian: Make orig-tarball-missing-upstream-signature a "dsc" check WIP patch attached; the unit tests don't pass for some reason to be investigated... commit ee116b6206ae2aada6429d8a5ea8843021853f50 Author: Chris Lamb <la...@debian.org> Date: Mon Feb 18 14:54:46 2019 +0100 Make orig-tarball-missing-upstream-signature a "dsc" check so it appears when running against non-.changes files. (Closes: #922557) checks/changes-file.desc | 20 ---------- checks/changes-file.pm | 25 +------------ checks/control-file.desc | 20 ++++++++++ checks/control-file.pm | 25 ++++++++++++- lib/Lintian/Collect/Source.pm | 85 ++++++++++++++++++++++++++++++++++++++++++- 5 files changed, 129 insertions(+), 46 deletions(-) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
>From ee116b6206ae2aada6429d8a5ea8843021853f50 Mon Sep 17 00:00:00 2001 From: Chris Lamb <la...@debian.org> Date: Mon, 18 Feb 2019 14:54:46 +0100 Subject: [PATCH] Make orig-tarball-missing-upstream-signature a "dsc" check so it appears when running against non-.changes files. (Closes: #922557) --- checks/changes-file.desc | 20 --------- checks/changes-file.pm | 25 +---------- checks/control-file.desc | 20 +++++++++ checks/control-file.pm | 25 ++++++++++- lib/Lintian/Collect/Source.pm | 85 ++++++++++++++++++++++++++++++++++- 5 files changed, 129 insertions(+), 46 deletions(-) diff --git a/checks/changes-file.desc b/checks/changes-file.desc index 8576ab230..295a53b2f 100644 --- a/checks/changes-file.desc +++ b/checks/changes-file.desc @@ -193,26 +193,6 @@ Info: The distribution in the <tt>Changes</tt> field copied from to be released yet. Ref: #542747 -Tag: orig-tarball-missing-upstream-signature -Severity: normal -Certainty: certain -Info: The packaging includes an upstream signing key but the corresponding - <tt>.asc</tt> signature for one or more source tarballs are not included - in your .changes file. - . - Please ensure a - <tt><package>_<version>.orig.tar.<ext>.asc</tt> file - exists in the same directory as your - <tt><package>_<version>.orig.tar.<ext></tt> tarball prior - to <tt>dpkg-source --build</tt> being called. - . - If you are repackaging your source tarballs for Debian Free Software - Guidelines compliance reasons, ensure that your package version includes - <tt>dfsg</tt> or similar. - . - Support for signatures was added to <tt>pristine-tar</tt> in version 1.41 - and support in <tt>git-buildpackage</tt> is being tracked in #872864. - Tag: changed-by-invalid-for-derivative Severity: serious Certainty: certain diff --git a/checks/changes-file.pm b/checks/changes-file.pm index 2ac28b5a6..8a47793b6 100644 --- a/checks/changes-file.pm +++ b/checks/changes-file.pm @@ -23,7 +23,7 @@ use strict; use warnings; use autodie; -use List::MoreUtils qw(none any); +use List::MoreUtils qw(any); use Lintian::Tags qw(tag); use Lintian::Check qw(check_maintainer); @@ -31,7 +31,6 @@ use Lintian::Data; use Lintian::Util qw(get_file_checksum); my $KNOWN_DISTS = Lintian::Data->new('changes-file/known-dists'); -my $SIGNING_KEY_FILENAMES = Lintian::Data->new('common/signing-key-filenames'); sub run { my (undef, undef, $info, undef, $group) = @_; @@ -184,18 +183,6 @@ sub run { check_maintainer($info->field('changed-by'), 'changed-by'); } - my $has_signing_key = 0; - my $src = $group->get_source_processable; - if ($src) { - for my $key_name ($SIGNING_KEY_FILENAMES->all) { - my $path = $src->info->index_resolved_path("debian/$key_name"); - if ($path and $path->is_file) { - $has_signing_key = 1; - last; - } - } - } - my $files = $info->files; my $path = readlink($info->lab_data_path('changes')); my %num_checksums; @@ -203,16 +190,6 @@ sub run { foreach my $file (keys %$files) { my $file_info = $files->{$file}; - # Ensure all orig tarballs have a signature if we have an upstream - # signature. - if ( $has_signing_key - && $file =~ m/(^.*\.orig(?:-[A-Za-z\d-]+)?\.tar)\./ - && $file !~ m/\.asc$/ - && !$info->repacked) { - tag 'orig-tarball-missing-upstream-signature', $file - if none { exists $files->{"$_.asc"} } ($file, $1); - } - # check section if ( ($file_info->{section} eq 'non-free') or ($file_info->{section} eq 'contrib')) { diff --git a/checks/control-file.desc b/checks/control-file.desc index a50349d88..7a28bd921 100644 --- a/checks/control-file.desc +++ b/checks/control-file.desc @@ -418,3 +418,23 @@ Info: For licensing reasons packages from the non-free section are not license) add <tt>XS-Autobuild: yes</tt> into the header part of debian/control and get the package added to the "autobuild" whitelist. Ref: devref 5.10.5 + +Tag: orig-tarball-missing-upstream-signature +Severity: normal +Certainty: certain +Info: The packaging includes an upstream signing key but the corresponding + <tt>.asc</tt> signature for one or more source tarballs are not included + in your .changes file. + . + Please ensure a + <tt><package>_<version>.orig.tar.<ext>.asc</tt> file + exists in the same directory as your + <tt><package>_<version>.orig.tar.<ext></tt> tarball prior + to <tt>dpkg-source --build</tt> being called. + . + If you are repackaging your source tarballs for Debian Free Software + Guidelines compliance reasons, ensure that your package version includes + <tt>dfsg</tt> or similar. + . + Support for signatures was added to <tt>pristine-tar</tt> in version 1.41 + and support in <tt>git-buildpackage</tt> is being tracked in #872864. diff --git a/checks/control-file.pm b/checks/control-file.pm index 6cf25ff79..48e1dfe5a 100644 --- a/checks/control-file.pm +++ b/checks/control-file.pm @@ -24,7 +24,7 @@ use warnings; use autodie; use List::MoreUtils qw(any); -use List::Util qw(first); +use List::Util qw(first none); use Lintian::Data (); use Lintian::Relation (); @@ -46,6 +46,8 @@ my $KNOWN_DBG_PACKAGE = Lintian::Data->new( return qr/$_[0]/xms; }); +my $SIGNING_KEY_FILENAMES = Lintian::Data->new('common/signing-key-filenames'); + sub run { my ($pkg, undef, $info, undef, $group) = @_; my $debian_dir = $info->index_resolved_path('debian/'); @@ -459,6 +461,27 @@ sub run { and $info->is_non_free and $info->source_field('xs-autobuild', 'no') eq 'no'; + # Ensure all orig tarballs have a signature if we have an upstream + # signature. + my $files = $info->files; + my $has_signing_key = 0; + for my $key_name ($SIGNING_KEY_FILENAMES->all) { + my $path = $info->index_resolved_path("debian/$key_name"); + if ($path and $path->is_file) { + $has_signing_key = 1; + last; + } + } + foreach my $file (keys %$files) { + if ( $has_signing_key + && $file =~ m/(^.*\.orig(?:-[A-Za-z\d-]+)?\.tar)\./ + && $file !~ m/\.asc$/ + && !$info->repacked) { + tag 'orig-tarball-missing-upstream-signature', $file + if none { exists $files->{"$_.asc"} } ($file, $1); + } + } + return; } diff --git a/lib/Lintian/Collect/Source.pm b/lib/Lintian/Collect/Source.pm index e0a1c6fe4..6bf2736f9 100644 --- a/lib/Lintian/Collect/Source.pm +++ b/lib/Lintian/Collect/Source.pm @@ -30,7 +30,7 @@ use Lintian::Relation; use Parse::DebianChangelog; use Lintian::Util - qw(get_file_checksum read_dpkg_control open_gz $PKGNAME_REGEX $PKGREPACK_REGEX); + qw(get_file_checksum read_dpkg_control open_gz $PKGNAME_REGEX $PKGREPACK_REGEX strip); =head1 NAME @@ -187,6 +187,89 @@ sub native { return $self->{native}; } +=item files + +Returns a reference to a hash containing information about files listed +in the .changes file. Each hash may have the following keys: + +=over 4 + +=item name + +Name of the file. + +=item size + +The size of the file in bytes. + +=item checksums + +A hash with the keys being checksum algorithms and the values themselves being +hashes containing + +=over 4 + +=item sum + +The result of applying the given algorithm to the file. + +=item filesize + +The size of the file as given in the .changes section relating to the given +checksum. + +=back + +=back + +Needs-Info requirements for using I<files>: L<Lintian::Collect/field ([FIELD[, DEFAULT]])> + +=cut + +sub files { + my ($self) = @_; + + return $self->{files} if exists $self->{files}; + + my %files; + + my $file_list = $self->field('files') || ''; + local $_; + for (split /\n/, $file_list) { + strip; + next if $_ eq ''; + + my ($md5sum,$size,$file) = split(/\s+/o, $_); + next if $file =~ m,/,; + + $files{$file}{checksums}{md5} = { + 'sum' => $md5sum, + 'filesize' => $size, + }; + $files{$file}{name} = $file; + $files{$file}{size} = $size; + } + + foreach my $alg (qw(sha1 sha256)) { + my $list = $self->field("checksums-$alg") || ''; + for (split /\n/, $list) { + strip; + next if $_ eq ''; + + my ($checksum, $size, $file) = split(/\s+/o, $_); + next if $file =~ m,/,; + + $files{$file}{checksums}{$alg} = { + 'sum' => $checksum, + 'filesize' => $size + }; + } + } + + $self->{files} = \%files; + return $self->{files}; +} + =item repacked Returns true if the source package has been "repacked" and false otherwise. -- 2.20.1