Processed: Re: lintian: Classification tag for missing systemd units

2018-02-02 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tags 858588 + moreinfo
Bug #858588 [lintian] lintian: Classification tag for missing systemd units
Added tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
858588: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858588
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#858588: lintian: Classification tag for missing systemd units

2018-02-02 Thread Chris Lamb 
tags 858588 + moreinfo
thanks

Hi Lucas,

> It would be great to add a classification tag in the case where
> no service file is provided for an init script, even if the maintainer
> did not make any other effort to make the package work with systemd.
  ^^

I can't quite get/parse this bit. :)  As you quote, the code is:

tag 'systemd-no-service-for-init-script', $basename
  if (%{$services} and not $services->{$servicename});

.. but surely this captures the idea of /etc/init.d/foo exists yet
there is no foo.service?  ie. the systemd unit is missing.

(It might helpful in a concrete sense to give an example of a package
that is not being triggered by the above but would be triggered by
your proposed tag?)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#820523: marked as done (lintian: NMU check should match on email and warn if name does not match)

2018-02-02 Thread Debian Bug Tracking System 
Your message dated Sat, 03 Feb 2018 03:54:02 +0530
with message-id 
<1517610242.989809.1257762616.4220a...@webmail.messagingengine.com>
and subject line Re: lintian: NMU check should match on email and warn if name 
does not match
has caused the Debian Bug report #820523,
regarding lintian: NMU check should match on email and warn if name does not 
match
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
820523: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820523
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: lintian
Version: 2.5.38
Severity: wishlist

debian/changelog is a partly automatically generated file, partly manually
edited.
I probably did something wrong to even notice this edge case, but still.

Given a debian/changelog that ends with, for example:

"""
 --  Hugues Morisset   Fri, 02 Oct 2015 14:13:47
+0100
"""

And given a debian/control that contains, among others:

"""
Maintainer: Hugues Morisset 
"""

Then lintian complains (correctly!) about the current version being a NMU,
i.e., changelog-should-mention-nmu and source-nmu-has-incorrect-version-number.

For a Debian newbie, this is very confusing.

To make it easier to resolve issues like this, I would like to "wish" for an
*additional* warning message like this:

"""
The most recent changelog entry is from " Hugues Morisset
". The control file lists "Hugues Morisset
" as a maintainer. These count as different people
only due to differing whitespace, even though the address is identical. If this
dissociation is unintended, please correct the whitespace issue in the
changelog.
"""

I'm horrible at designing warning messages, but I hope I could explain why,
what, and how this is happening; and why it's pretty unintuitive.

As indicated in the fictive warning message, I would suggest checking the "raw"
email address of the changelog against the "raw" email address of each
maintainer and uploader. If the address matches but the name doesn't, then the
packager most definitely did not intend this.



-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lintian depends on:
ii  binutils   2.25.1-3
ii  bzip2  1.0.6-8
ii  diffstat   1.60-1
ii  file   1:5.25-2
ii  gettext0.19.6-1
ii  hardening-includes 2.7
ii  intltool-debian0.35.0+20060710.4
ii  libapt-pkg-perl0.1.29+b3
ii  libarchive-zip-perl1.53-1
ii  libclass-accessor-perl 0.34-1
ii  libclone-perl  0.38-1
ii  libdpkg-perl   1.18.3
ii  libemail-valid-perl1.196-1
ii  libfile-basedir-perl   0.07-1
ii  libipc-run-perl0.94-1
ii  liblist-moreutils-perl 0.413-1
ii  libparse-debianchangelog-perl  1.2.0-8
ii  libtext-levenshtein-perl   0.13-1
ii  libtimedate-perl   2.3000-2
ii  liburi-perl1.69-1
ii  man-db 2.7.3-1
ii  patchutils 0.3.4-1
ii  perl [libdigest-sha-perl]  5.20.2-6
ii  t1utils1.38-4
ii  xz-utils   5.1.1alpha+20120614-2.1

Versions of packages lintian recommends:
ii  dpkg1.18.3
pn  libperlio-gzip-perl 
ii  perl5.20.2-6
ii  perl-modules [libautodie-perl]  5.20.2-6

Versions of packages lintian suggests:
ii  binutils-multiarch 2.25.1-3
ii  dpkg-dev   1.18.3
ii  libhtml-parser-perl3.71-2
ii  libtext-template-perl  1.46-1
pn  libyaml-perl   

-- no debconf information
--- End Message ---
--- Begin Message ---
Hi,

> […]

I believe the problems raised for this bug have now been fixed, eg. we
have a "extra-whitespace-around-name-in-changelog-trailer" tag to detect
whitespace, the long description of "changelog-should-mention-nmu"
contains:

 Maybe you didn't intend this upload to be a NMU, in that case, please
 double-check that the most recent entry in the changelog is byte-for-byte
 identical to the maintainer or one of the uploaders.  If this is a local
 package

Bug#889154: maintainer-script-should-not-use-service, long description

2018-02-02 Thread Chris Lamb 
tags 889154 + pending
thanks

Fixed in Git, pending upload:

  
https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=5c753271104136bb2b194b8de4672e0129748092


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

[lintian] branch master updated (5c75327 -> c1ea578)

2018-02-02 Thread Chris Lamb 
This is an automated email from the git hooks/post-receive script.

lamby pushed a change to branch master
in repository lintian.

  from  5c75327   checks/scripts.desc: Update the 
maintainer-script-should-not-use-service tag to include advice and Debian 
Policy reference. (Closes: #889154)
   new  c1ea578   data/files/fnames: Ensure 
package-contains-python-doctree-file also warns about compressed .doctree files.

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Summary of changes:
 data/files/fnames | 2 +-
 debian/changelog  | 3 +++
 t/tests/files-general/debian/debian/rules | 1 +
 t/tests/files-general/tags| 1 +
 4 files changed, 6 insertions(+), 1 deletion(-)

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/lintian/lintian.git

Processed: Re: maintainer-script-should-not-use-service, long description

2018-02-02 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tags 889154 + pending
Bug #889154 [lintian] maintainer-script-should-not-use-service, long description
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
889154: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889154
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

[lintian] 01/01: checks/scripts.desc: Update the maintainer-script-should-not-use-service tag to include advice and Debian Policy reference. (Closes: #889154)

2018-02-02 Thread Chris Lamb 
This is an automated email from the git hooks/post-receive script.

lamby pushed a commit to branch master
in repository lintian.

commit 5c753271104136bb2b194b8de4672e0129748092
Author: Chris Lamb 
Date:   Fri Feb 2 21:58:59 2018 +

checks/scripts.desc: Update the maintainer-script-should-not-use-service 
tag to include advice and Debian Policy reference. (Closes: #889154)
---
 checks/scripts.desc | 12 +---
 debian/changelog|  3 +++
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/checks/scripts.desc b/checks/scripts.desc
index 1ed01eb..176b8a1 100644
--- a/checks/scripts.desc
+++ b/checks/scripts.desc
@@ -609,9 +609,15 @@ Tag: maintainer-script-should-not-use-service
 Severity: important
 Certainty: certain
 Experimental: yes
-Info: The maintainer script apparently runs the service command.
- This command is reserved for local
- administrators and must never be used by a Debian package.
+Info: The maintainer script apparently runs the service command. This
+ command is reserved for local administrators and must never be used
+ by a Debian package.
+ .
+ Please replace with calls to update-rc.d(8) and
+ invoke-rc.d(8). If your package installs this service, this
+ can be automated using dh_installinit(1) or
+ dh_installsystemd(1).
+Ref: policy 9.3.3
 
 Tag: maintainer-script-should-not-use-adduser-system-without-home
 Severity: serious
diff --git a/debian/changelog b/debian/changelog
index 4aa6a9c..fa13223 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -46,6 +46,9 @@ lintian (2.5.73) UNRELEASED; urgency=medium
   * checks/rules.pm:
 + [CL] Check for override_dh_auto_test targets that do not check
   DEB_BUILD_OPTIONS for "nocheck".  (Closes: #712394)
+  * checks/scripts.desc:
++ [CL] Update the maintainer-script-should-not-use-service tag to
+  include advice and Debian Policy reference.  (Closes: #889154)
   * checks/source-copyright.{desc,pm}:
 + [CL] Warn about packages that specify a Files-Excluded header without
   a valid Format header as the former will be ignored by uscan(1).

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/lintian/lintian.git

Bug#782990: lintian: new pedantic check about planned features in package descriptions

2018-02-02 Thread Chris Lamb 
Hi Juhani,

> […]

Thanks for these. Committed :)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

[lintian] branch master updated (547d9a1 -> d25602f)

2018-02-02 Thread Chris Lamb 
This is an automated email from the git hooks/post-receive script.

lamby pushed a change to branch master
in repository lintian.

  from  547d9a1   Update legacy-maintainer-scripts tests too.
   new  d25602f   checks/description.desc: Fix some typos and grammatical 
errors - thanks Juhani!

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Summary of changes:
 checks/description.desc | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/lintian/lintian.git

Bug#889154: maintainer-script-should-not-use-service, long description

2018-02-02 Thread Thorsten Alteholz 

Package: lintian
Version: 2.5.72
Severity: wishlist

Please extend the long description of maintainer-script-should-not-use-service

Especially it is not clear what to do in case a package changes the 
config of another package and would like to reload the config during 
installation.

For example this is needed after a new apache config has been added.

  Thorsten

Bug#782990: lintian: new pedantic check about planned features in package descriptions

2018-02-02 Thread Juhani Numminen 
On Mon, 29 Jan 2018 03:53:18 +0530 Chris Lamb  wrote:
>   
> https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=f444db614d4ac4ed4ef24060cb6856fb61b5b631

checks/description.desc:
> Package descriptions should not mention features that not yet implemented

Perhaps the word ‘are’ is missing there?
One more:

https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=518f2979822557024a3501e9a731e51ceb8220ea
checks/description.desc:
> This is not necessary as the synopsis does nott need to be a full

nott → not


Cheers,
Juhani

Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

2018-02-02 Thread Chris Lamb 
Hi Raphael,

> Consensus? Has there been a broader discussion on this topic that I
> missed?

Chatter on #debian-devel mostly.

> You could have a checklist

I follow a checklist internally but, as I implied in my previous mail,
using this particular tag is a poor example/representation. :)

A quick grep of "git log -p checks/*.desc" for "+ Please" will show
that tags I add invariably some kind of actionable advice. :)

> Sorry, what CVE are you referring to?

This is via https://bugs.debian.org/889060#5.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

2018-02-02 Thread Raphael Hertzog 
Hi,

On Fri, 02 Feb 2018, Chris Lamb wrote:
> > you do not suggest any alternative (how do I fix change
> > permissions/ownership securely?)
> 
> Indeed, as the consensus is still not clear at this point. Do you
> have any suggestions for such a text?

Consensus? Has there been a broader discussion on this topic that I
missed?

In any case, maybe we could encourage the use of "-h / --no-dereference"
on such calls?

Of if there is no consensus, but multiple suggestions have been made,
then it's probably best to list all the possible solutions that have been
pointed out (maybe usage of systemd's dynamic user feature).

> > Please try to be a bit more restrictive in what new tags you are
> > accepting.
> 
> You seem to be implying this is a pattern. If so, please could you
> provide some other examples so I could understand better?

Well, it seems to me that you could put a bit more thought up-front
when a new tag is added... it seems to me that tags are added and
that sub-sequesent versions often provide a longer explanation
with more context and/or with new ways to not trigger the tag (i.e. that 
do not require adding an override).

That was the case with new-package-should-not-package-python2-module
and dependency-on-python-version-marked-for-end-of-life.

In any case, it's not a big deal, I largely prefer having lintian very
actively maintained with a few mistakes quickly fixed than having no new
checks... but you are still the gatekeeper, Debian developers have lots
of (sometimes weird) desires/wishlists for a tool like lintian and you
should help them better define their checks before merging them.

You could have a checklist:

- Does the long description tell the maintainer how to fix the problem?
  Can it include a reference te some relevant documentation?
- Does the long description gives the rationale why this is a problem
  in the first place?
- Can we have a mechanism to not trigger the tag when the maintainer
  knows that it's a false positive (without adding an explicit override
  tag)?
- Did someone do an estimation of the false positive ratio? Is it
  reasonable?

> This was a judgement call based on the severity of the problem (it,
> after all, had a CVE). Personally I'd rather have a check for such
> an issue that had an incomplete long description than not have the
> check at all. Clearly, this would not apply to a trivial or even a
> normal issue..

Sorry, what CVE are you referring to?

In my case, I remember having touched many packages with dedicated
users created and I expect this tag to have a very high false positive
ratio. If you know this, you might want to acknowledge it in the long
description explaining that you accept the false positives because
of the security impact of any case where nobody took the time to
analyze the security implications (but then again you should help the
maintainer to do his own assessment, what is safe and what is not safe?).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

2018-02-02 Thread Chris Lamb 
Raphael,

> you do not suggest any alternative (how do I fix change
> permissions/ownership securely?)

Indeed, as the consensus is still not clear at this point. Do you
have any suggestions for such a text?

> Please try to be a bit more restrictive in what new tags you are
> accepting.

You seem to be implying this is a pattern. If so, please could you
provide some other examples so I could understand better?

This was a judgement call based on the severity of the problem (it,
after all, had a CVE). Personally I'd rather have a check for such
an issue that had an incomplete long description than not have the
check at all. Clearly, this would not apply to a trivial or even a
normal issue..


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

2018-02-02 Thread Raphael Hertzog 
Hi,

On Thu, 01 Feb 2018, Daniel Kahn Gillmor wrote:
> "chown -R" and "chmod -R" are very hard to use safely

Why ?

> some debian maintainer scripts might be tempted to use them to adjust
> file ownership to specific users.  however, those scripts are
> vulnerable to attack on kernels that do not have
> fs.protected_hardlinks=1.

Only if someone has write access to the directories where chown/chmod
are called... which is generally not the cases for directories that
are modified by maintainer scripts (/var/log/foo, /var/lib/foo).

I'm sorry but this tag is going to generate lots of noise and
unhappiness among maintainers because:
1/ you do not suggest any alternative (how do I fix change
   permissions/ownership securely?)
2/ you do not tell them how to ensure that their case is safe or not and
   whether they should just override the tag or not.
3/ I expect the false-positive ratio to be very high

Chris, as a lintian maintainer, I would expect you to ensure that
any tag has actionable data and looking at the commit, clearly this
one doesn't have any. There's no indication on how to go forward
to fix this tag.

Please try to be a bit more restrictive in what new tags you are
accepting.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Build failed in Jenkins: lintian-tests_sid #2515

2018-02-02 Thread jenkins 
See 


Changes:

[lamby] Warn if the maintainer scripts include "chown -R" or "chmod -R" to

--
[...truncated 244.38 KB...]
Adding debian:DigiCert_Global_Root_G3.pem
Adding debian:DigiCert_Global_Root_G2.pem
Adding debian:DigiCert_Global_Root_CA.pem
Adding debian:DigiCert_Assured_ID_Root_G3.pem
Adding debian:DigiCert_Assured_ID_Root_G2.pem
Adding debian:DigiCert_Assured_ID_Root_CA.pem
Adding debian:Deutsche_Telekom_Root_CA_2.pem
Adding debian:DST_Root_CA_X3.pem
Adding debian:DST_ACES_CA_X6.pem
Adding debian:D-TRUST_Root_Class_3_CA_2_EV_2009.pem
Adding debian:D-TRUST_Root_Class_3_CA_2_2009.pem
Adding debian:Cybertrust_Global_Root.pem
Adding debian:Comodo_Trusted_Services_root.pem
Adding debian:Comodo_Secure_Services_root.pem
Adding debian:Comodo_AAA_Services_root.pem
Adding debian:China_Internet_Network_Information_Center_EV_Certificates_Root.pem
Adding debian:Chambers_of_Commerce_Root_-_2008.pem
Adding debian:Certum_Trusted_Network_CA_2.pem
Adding debian:Certum_Trusted_Network_CA.pem
Adding debian:Certum_Root_CA.pem
Adding debian:Certplus_Root_CA_G2.pem
Adding debian:Certplus_Root_CA_G1.pem
Adding debian:Certplus_Class_2_Primary_CA.pem
Adding debian:Certinomis_-_Root_CA.pem
Warning: there was a problem reading the certificate file 
/etc/ssl/certs/Certinomis_-_Autorit?_Racine.pem. Message:
  /etc/ssl/certs/Certinomis_-_Autorit?_Racine.pem (No such file or directory)
Adding debian:Certigna.pem
Adding debian:Camerfirma_Global_Chambersign_Root.pem
Adding debian:Camerfirma_Chambers_of_Commerce_Root.pem
Adding debian:COMODO_RSA_Certification_Authority.pem
Adding debian:COMODO_ECC_Certification_Authority.pem
Adding debian:COMODO_Certification_Authority.pem
Adding debian:CNNIC_ROOT.pem
Adding debian:CFCA_EV_ROOT.pem
Adding debian:CA_Disig_Root_R2.pem
Adding debian:CA_Disig_Root_R1.pem
Adding debian:Buypass_Class_3_Root_CA.pem
Adding debian:Buypass_Class_2_Root_CA.pem
Adding debian:Baltimore_CyberTrust_Root.pem
Adding debian:Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
Adding debian:Atos_TrustedRoot_2011.pem
Adding debian:Amazon_Root_CA_4.pem
Adding debian:Amazon_Root_CA_3.pem
Adding debian:Amazon_Root_CA_2.pem
Adding debian:Amazon_Root_CA_1.pem
Adding debian:AffirmTrust_Premium_ECC.pem
Adding debian:AffirmTrust_Premium.pem
Adding debian:AffirmTrust_Networking.pem
Adding debian:AffirmTrust_Commercial.pem
Adding debian:AddTrust_Qualified_Certificates_Root.pem
Adding debian:AddTrust_Public_Services_Root.pem
Adding debian:AddTrust_Low-Value_Services_Root.pem
Adding debian:AddTrust_External_Root.pem
Adding debian:Actalis_Authentication_Root_CA.pem
Adding debian:AC_RAIZ_FNMT-RCM.pem
Adding debian:ACEDICOM_Root.pem
Adding debian:ACCVRAIZ1.pem
done.
Setting up openjdk-8-jdk-headless:amd64 (8u151-b12-1) ...
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/idlj to 
provide /usr/bin/idlj (idlj) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/jdeps to 
provide /usr/bin/jdeps (jdeps) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/wsimport to 
provide /usr/bin/wsimport (wsimport) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/rmic to 
provide /usr/bin/rmic (rmic) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/jinfo to 
provide /usr/bin/jinfo (jinfo) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/jsadebugd to 
provide /usr/bin/jsadebugd (jsadebugd) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/native2ascii 
to provide /usr/bin/native2ascii (native2ascii) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/jstat to 
provide /usr/bin/jstat (jstat) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/javac to 
provide /usr/bin/javac (javac) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/javah to 
provide /usr/bin/javah (javah) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/jstack to 
provide /usr/bin/jstack (jstack) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/jrunscript to 
provide /usr/bin/jrunscript (jrunscript) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/javadoc to 
provide /usr/bin/javadoc (javadoc) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/jhat to 
provide /usr/bin/jhat (jhat) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/javap to 
provide /usr/bin/javap (javap) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/jar to provide 
/usr/bin/jar (jar) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/bin/xjc to provide 
/usr/bin/xjc (xjc) in auto mode
update-alternatives: using

[lintian] branch master updated (e46b476 -> 547d9a1)

2018-02-02 Thread Chris Lamb 
This is an automated email from the git hooks/post-receive script.

lamby pushed a change to branch master
in repository lintian.

  from  e46b476   Warn if the maintainer scripts include "chown -R" or 
"chmod -R" to prevent hardlink attacks on kernels that do not have 
fs.protected_hardlinks=1. (Closes: #889066)
   new  547d9a1   Update legacy-maintainer-scripts tests too.

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Summary of changes:
 t/tests/legacy-maintainer-scripts/tags | 1 +
 1 file changed, 1 insertion(+)

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/lintian/lintian.git

[lintian] 01/01: Update legacy-maintainer-scripts tests too.

2018-02-02 Thread Chris Lamb 
This is an automated email from the git hooks/post-receive script.

lamby pushed a commit to branch master
in repository lintian.

commit 547d9a1f4e42c554e2c39fe3b6feac19f12407b3
Author: Chris Lamb 
Date:   Fri Feb 2 08:56:42 2018 +

Update legacy-maintainer-scripts tests too.
---
 t/tests/legacy-maintainer-scripts/tags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/t/tests/legacy-maintainer-scripts/tags 
b/t/tests/legacy-maintainer-scripts/tags
index 9869a0b..6dc884f 100644
--- a/t/tests/legacy-maintainer-scripts/tags
+++ b/t/tests/legacy-maintainer-scripts/tags
@@ -64,6 +64,7 @@ W: maintainer-scripts: 
maintainer-script-should-not-hide-init-failure postinst:5
 W: maintainer-scripts: maintainer-script-should-not-use-deprecated-chown-usage 
postinst:166 'chown -R root.root'
 W: maintainer-scripts: maintainer-script-should-not-use-deprecated-chown-usage 
postinst:33 'chown root.root'
 W: maintainer-scripts: maintainer-script-should-not-use-gconftool postinst:69
+W: maintainer-scripts: 
maintainer-script-should-not-use-recursive-chown-or-chmod postinst:166
 W: maintainer-scripts: maintainer-script-should-not-use-start-stop-daemon 
postinst:160
 W: maintainer-scripts: 
maintainer-script-should-not-use-update-alternatives-remove postrm:4
 W: maintainer-scripts: maintscript-calls-ldconfig postrm

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/lintian/lintian.git

Processed: Re: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

2018-02-02 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tags 889066 + pending
Bug #889066 [lintian] lintian should warn if the maintainer scripts include 
"chown -R" or "chmod -R"
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
889066: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889066
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

2018-02-02 Thread Chris Lamb 
tags 889066 + pending
thanks

Fixed in Git, pending upload:

  
https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=e46b47690c6018847c48e05d2162562f16bb87e6


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

[lintian] 01/01: Warn if the maintainer scripts include "chown -R" or "chmod -R" to prevent hardlink attacks on kernels that do not have fs.protected_hardlinks=1. (Closes: #889066)

2018-02-02 Thread Chris Lamb 
This is an automated email from the git hooks/post-receive script.

lamby pushed a commit to branch master
in repository lintian.

commit e46b47690c6018847c48e05d2162562f16bb87e6
Author: Chris Lamb 
Date:   Fri Feb 2 08:26:45 2018 +

Warn if the maintainer scripts include "chown -R" or "chmod -R" to prevent 
hardlink attacks on kernels that do not have fs.protected_hardlinks=1. (Closes: 
#889066)
---
 checks/scripts.desc   |  8 
 data/scripts/maintainer-script-bad-command|  1 +
 debian/changelog  |  4 
 t/tests/scripts-maintainer-general/debian/debian/postinst | 11 +++
 t/tests/scripts-maintainer-general/desc   |  1 +
 t/tests/scripts-maintainer-general/tags   |  9 +
 6 files changed, 34 insertions(+)

diff --git a/checks/scripts.desc b/checks/scripts.desc
index a6dbedc..1ed01eb 100644
--- a/checks/scripts.desc
+++ b/checks/scripts.desc
@@ -806,3 +806,11 @@ Info: You used /usr/bin/nodejs or 
/usr/bin/env nodejs as an
  .
  Please update your package to use the node variant.
 Ref: #614907, #862051
+
+Tag: maintainer-script-should-not-use-recursive-chown-or-chmod
+Severity: normal
+Certainty: certain
+Info: The maintainer script appears to call chmod or chown
+ with the recursive -R argument. This is vulnerable to hardlink
+ attacks on kernels that do not have fs.protected_hardlinks=1
+Ref: #889060
diff --git a/data/scripts/maintainer-script-bad-command 
b/data/scripts/maintainer-script-bad-command
index f0fcc3a..ef5a159 100644
--- a/data/scripts/maintainer-script-bad-command
+++ b/data/scripts/maintainer-script-bad-command
@@ -35,6 +35,7 @@ maintainer-script-should-not-use-dpkg-status-directly 
  ~~ 1 ~~^(base-fi
 maintainer-script-should-not-use-fc-cache   ~~ 0 
~~^(fontconfig)$  ~~  ~~${LEADIN}(?:/usr/bin/)?fc-cache(?:\s|\Z)
 maintainer-script-should-not-use-gconftool  ~~ 1 
~~^(gconf\d)$ ~~  ~~(?:/usr/bin/)?gconftool(?:-\d)?(?:\s|\Z)
 maintainer-script-should-not-use-install-sgmlcatalog~~ 1 ~~
~~  ~~\binstall-sgmlcatalog\b
+maintainer-script-should-not-use-recursive-chown-or-chmod   ~~ 1 ~~
~~  ~~\b(?:chmod|chown).*(?:-R|--recursive)\b
 maintainer-script-should-not-use-service~~ 1 ~~
~~  ~~${LEADIN}service\b
 maintainer-script-should-not-use-start-stop-daemon  ~~ 0 ~~
~~  ~~\bstart-stop-daemon(?=\s)(?!.*\s--stop\b)
 maintainer-script-should-not-use-update-alternatives-remove ~~ 1 ~~
~~^postrm$  ~~\b update\-alternatives\s+\-\-remove\b
diff --git a/debian/changelog b/debian/changelog
index 19cff1b..4aa6a9c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -76,6 +76,10 @@ lintian (2.5.73) UNRELEASED; urgency=medium
   * data/files/python-generic-modules:
 + [CL] Detect "backports" (and "backport") as overly generic Python
   module names.  (Closes: #888559)
+  * data/scripts/maintainer-script-bad-command:
++ [CL] Warn if the maintainer scripts include "chown -R" or "chmod -R"
+  to prevent hardlink attacks on kernels that do not have
+  fs.protected_hardlinks=1.  (Closes: #889066)
 
   * lib/Lintian/*:
 + [CL] Add support for passing .buildinfo files to Lintian.
diff --git a/t/tests/scripts-maintainer-general/debian/debian/postinst 
b/t/tests/scripts-maintainer-general/debian/debian/postinst
index f8d349b..706d7cf 100755
--- a/t/tests/scripts-maintainer-general/debian/debian/postinst
+++ b/t/tests/scripts-maintainer-general/debian/debian/postinst
@@ -206,4 +206,15 @@ if [ -d /usr/share/doc/tworld ]; then
fi
 fi
 
+chown root:root /good
+chmod 777 /good
+chown -R root:root /bad
+chown root:root -R /bad
+chown root:root --recursive /bad
+chown --recursive root:root /bad
+chmod -R 777 /bad
+chmod 777 -R /bad
+chmod 777 --recursive /bad
+chmod --recursive 777 /bad
+
 #DEBHELPER#
diff --git a/t/tests/scripts-maintainer-general/desc 
b/t/tests/scripts-maintainer-general/desc
index bfdca94..3132808 100644
--- a/t/tests/scripts-maintainer-general/desc
+++ b/t/tests/scripts-maintainer-general/desc
@@ -25,6 +25,7 @@ Test-For:
  maintainer-script-should-not-use-install-sgmlcatalog
  maintainer-script-should-not-modify-ld-so-conf
  maintainer-script-should-not-modify-netbase-managed-file
+ maintainer-script-should-not-use-recursive-chown-or-chmod
  maintainer-script-should-not-use-start-stop-daemon
  maintainer-script-should-not-use-service
  maintainer-script-should-not-use-update-alternatives-remove
diff --git a/t/tests/scripts-maintainer-general/tags 
b/t/tests/scripts-maintainer-general/tags
index 8a8b143..2813747 100644
--- a/t/tests/scripts-maintainer-general/tags
+++ b/t/tests/scripts-maintainer-general/tags
@@ -41,6 +41,15 @@ W:

[lintian] branch master updated (4d7ab60 -> e46b476)

2018-02-02 Thread Chris Lamb 
This is an automated email from the git hooks/post-receive script.

lamby pushed a change to branch master
in repository lintian.

  from  4d7ab60   spelling: Add several corrections
   new  e46b476   Warn if the maintainer scripts include "chown -R" or 
"chmod -R" to prevent hardlink attacks on kernels that do not have 
fs.protected_hardlinks=1. (Closes: #889066)

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Summary of changes:
 checks/scripts.desc   |  8 
 data/scripts/maintainer-script-bad-command|  1 +
 debian/changelog  |  4 
 t/tests/scripts-maintainer-general/debian/debian/postinst | 11 +++
 t/tests/scripts-maintainer-general/desc   |  1 +
 t/tests/scripts-maintainer-general/tags   |  9 +
 6 files changed, 34 insertions(+)

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/lintian/lintian.git