This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch master in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=769e87e0b9943bae4c62f1a5c85581be653d74b8 commit 769e87e0b9943bae4c62f1a5c85581be653d74b8 Author: Guillem Jover <[email protected]> AuthorDate: Mon Dec 3 08:57:14 2018 +0100 Dpkg::Vendor::Debian: Add support for usr-local-has-* tainted tags These will detect problematic files under /usr/local which can taint the current build. --- debian/changelog | 1 + man/deb-buildinfo.man | 12 ++++++++++++ scripts/Dpkg/Vendor/Debian.pm | 14 ++++++++++++++ 3 files changed, 27 insertions(+) diff --git a/debian/changelog b/debian/changelog index a57bd3438..16ea0cf74 100644 --- a/debian/changelog +++ b/debian/changelog @@ -28,6 +28,7 @@ dpkg (1.19.5) UNRELEASED; urgency=medium * Perl modules: - Dpkg::Vendor::Debian: Add support for merged-usr-via-symlinks tainted tag. Suggested by Alexander E. Patrakov <[email protected]>. + - Dpkg::Vendor::Debian: Add support for usr-local-has-* tainted tags. * Documentation: - start-stop-daemon(1): Document behavior of --pidfile security checks. Closes: #921557 diff --git a/man/deb-buildinfo.man b/man/deb-buildinfo.man index fe276bef2..691acb255 100644 --- a/man/deb-buildinfo.man +++ b/man/deb-buildinfo.man @@ -169,6 +169,18 @@ problems, and messes with the understanding of the filesystem that For build systems that hardcode pathnames to specific binaries or libraries on the resulting artifacts, it can also produce packages that will be incompatible with non-/usr-merged filesystems. +.TP +.B usr\-local\-has\-configs +The system has configuration files under \fI/usr/local/etc\fP. +.TP +.B usr\-local\-has\-includes +The system has header files under \fI/usr/local/include\fP. +.TP +.B usr\-local\-has\-programs +The system has programs under \fI/usr/local/bin\fP or \fI/usr/local/sbin\fP. +.TP +.B usr\-local\-has\-libraries +The system has libraries, either static or shared under \fI/usr/local/lib\fP. .RE .TP .BR Installed\-Build\-Depends: " (required)" diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm index 6948bdc16..a352bbdde 100644 --- a/scripts/Dpkg/Vendor/Debian.pm +++ b/scripts/Dpkg/Vendor/Debian.pm @@ -455,6 +455,20 @@ sub _build_tainted_by { } } + require File::Find; + my %usr_local_types = ( + configs => [ qw(etc) ], + includes => [ qw(include) ], + programs => [ qw(bin sbin) ], + libraries => [ qw(lib) ], + ); + foreach my $type (keys %usr_local_types) { + File::Find::find({ + wanted => sub { $tainted{"usr-local-has-$type"} = 1 if -f }, + no_chdir => 1, + }, map { "/usr/local/$_" } @{$usr_local_types{$type}}); + } + my @tainted = sort keys %tainted; return @tainted; } -- Dpkg.Org's dpkg
