This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch master in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=13cad525ffbcbfba47863ea41024415ac25f7974 commit 13cad525ffbcbfba47863ea41024415ac25f7974 Author: Guillem Jover <[email protected]> AuthorDate: Sun Dec 2 03:35:49 2018 +0100 dpkg-genbuildinfo: Add support for a new Build-Tainted-By field This field will contain a list of tainting reason tags, which can denote that the current build has potentially been broken. Suggested-by: Alexander E. Patrakov <[email protected]> --- debian/changelog | 2 ++ man/deb-buildinfo.man | 11 +++++++++++ scripts/Dpkg/Control/FieldsCore.pm | 7 ++++++- scripts/Dpkg/Vendor/Debian.pm | 10 ++++++++++ scripts/Dpkg/Vendor/Default.pm | 10 ++++++++++ scripts/dpkg-genbuildinfo.pl | 2 ++ scripts/t/Dpkg_Control_Fields.t | 5 +++-- 7 files changed, 44 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 7006c9093..58a306652 100644 --- a/debian/changelog +++ b/debian/changelog @@ -23,6 +23,8 @@ dpkg (1.19.5) UNRELEASED; urgency=medium Closes: #922039 * dpkg-maintscript-helper: Restrict find for dir-to-symlink move to -maxdepth 1. Thanks to Ralf Treinen <[email protected]>. Closes: #922799 + * dpkg-genbuildinfo: Add support for a new Build-Tainted-By field in + .buildinfo files. Suggested by Alexander E. Patrakov <[email protected]>. * Documentation: - start-stop-daemon(1): Document behavior of --pidfile security checks. Closes: #921557 diff --git a/man/deb-buildinfo.man b/man/deb-buildinfo.man index 5013aa047..1a1ddc7d1 100644 --- a/man/deb-buildinfo.man +++ b/man/deb-buildinfo.man @@ -149,6 +149,17 @@ via some pattern match to avoid leaking possibly sensitive information. On Debian and derivatives only build paths starting with \fI/build/\fP will emit this field. .TP +.B Build\-Tainted\-By: +.TQ +.I " taint-reason-list" +This folded field contains a space-separated list of non-exhausitve reason +tags (formed by alphanumeric and dash characters) which identify why the +current build has been tainted (since dpkg 1.19.5). +.IP +On Debian and derivatives the following reason tags can be emitted: +.RS +.RE +.TP .BR Installed\-Build\-Depends: " (required)" .TQ .I " package-list" diff --git a/scripts/Dpkg/Control/FieldsCore.pm b/scripts/Dpkg/Control/FieldsCore.pm index b100366e1..f460433fc 100644 --- a/scripts/Dpkg/Control/FieldsCore.pm +++ b/scripts/Dpkg/Control/FieldsCore.pm @@ -176,6 +176,11 @@ our %FIELDS = ( allowed => CTRL_INFO_PKG, separator => FIELD_SEP_SPACE, }, + 'build-tainted-by' => { + name => 'Build-Tainted-By', + allowed => CTRL_FILE_BUILDINFO, + separator => FIELD_SEP_SPACE, + }, 'built-for-profiles' => { name => 'Built-For-Profiles', allowed => ALL_PKG | CTRL_FILE_CHANGES, @@ -634,7 +639,7 @@ our %FIELD_ORDER = ( qw(format source binary architecture version binary-only-changes), @src_checksums_fields, qw(build-origin build-architecture build-kernel-version build-date - build-path installed-build-depends environment), + build-path build-tainted-by installed-build-depends environment), ], CTRL_FILE_CHANGES() => [ qw(format date source binary binary-only built-for-profiles architecture diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm index 7d4b6d802..7b5244042 100644 --- a/scripts/Dpkg/Vendor/Debian.pm +++ b/scripts/Dpkg/Vendor/Debian.pm @@ -81,6 +81,8 @@ sub run_hook { $self->_add_build_flags(@params); } elsif ($hook eq 'builtin-system-build-paths') { return qw(/build/); + } elsif ($hook eq 'build-tainted-by') { + return $self->_build_tainted_by(); } else { return $self->SUPER::run_hook($hook, @params); } @@ -439,6 +441,14 @@ sub _add_build_flags { } } +sub _build_tainted_by { + my $self = shift; + my %tainted; + + my @tainted = sort keys %tainted; + return @tainted; +} + =head1 CHANGES =head2 Version 0.xx diff --git a/scripts/Dpkg/Vendor/Default.pm b/scripts/Dpkg/Vendor/Default.pm index 40815efde..ed05c3009 100644 --- a/scripts/Dpkg/Vendor/Default.pm +++ b/scripts/Dpkg/Vendor/Default.pm @@ -140,6 +140,14 @@ field will be created if the current directory is "/build/dpkg-1.18.0". If the list contains "/", the path will always be recorded. If the list is empty, the current path will never be recorded. +=item build-tainted-by () + +The hook is called by dpkg-genbuildinfo to determine if the current system +has been tainted in some way that could affect the resulting build, which +will be recorded in the B<Build-Tainted-By> field (since dpkg 1.19.5). It +takes no parameters, but returns a (possibly empty) list of tainted reason +tags (formed by alphanumeric and dash characters). + =back =cut @@ -172,6 +180,8 @@ sub run_hook { my $flags = shift @params; } elsif ($hook eq 'builtin-system-build-paths') { return (); + } elsif ($hook eq 'build-tainted-by') { + return (); } # Default return value for unknown/unimplemented hooks diff --git a/scripts/dpkg-genbuildinfo.pl b/scripts/dpkg-genbuildinfo.pl index fe296506e..827b6679f 100755 --- a/scripts/dpkg-genbuildinfo.pl +++ b/scripts/dpkg-genbuildinfo.pl @@ -437,6 +437,8 @@ if ($use_feature{path}) { } } +$fields->{'Build-Tainted-By'} = "\n" . join "\n", run_vendor_hook('build-tainted-by'); + $checksums->export_to_control($fields); $fields->{'Installed-Build-Depends'} = collect_installed_builddeps($control); diff --git a/scripts/t/Dpkg_Control_Fields.t b/scripts/t/Dpkg_Control_Fields.t index 00f951052..8e0bd721b 100644 --- a/scripts/t/Dpkg_Control_Fields.t +++ b/scripts/t/Dpkg_Control_Fields.t @@ -20,7 +20,7 @@ use Test::More; use Test::Dpkg qw(:paths); BEGIN { - plan tests => 2416; + plan tests => 2438; use_ok('Dpkg::Control::Types'); use_ok('Dpkg::Control::FieldsCore'); @@ -167,7 +167,8 @@ my %fields = ( qw(Format Source Binary Architecture Version Binary-Only-Changes), @src_checksums, qw(Build-Origin Build-Architecture Build-Kernel-Version - Build-Date Build-Path Installed-Build-Depends Environment) + Build-Date Build-Path Build-Tainted-By + Installed-Build-Depends Environment) ], }, CTRL_FILE_CHANGES() => { -- Dpkg.Org's dpkg
