Accepted lintian 2.5.12 (source all)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 16 Apr 2013 17:32:09 +0200
Source: lintian
Binary: lintian
Architecture: source all
Version: 2.5.12
Distribution: experimental
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Niels Thykier <niels@thykier.net>
Description:
lintian - Debian package checker
Closes: 359059 591812 615516 652380 652595 659335 668437 670963 678857 681061 683737 685299 692548 693918 695839 695866 695967 696230 696960 697534 697693 697916 698234 698602 698610 698704 698720 699452 699628 699670 700110 700543 700882 701061 703490 703978 703985 703989 704446 705175
Changes:
lintian (2.5.12) experimental; urgency=medium
.
* Summary of tag changes:
+ Added:
- ambiguous-paragraph-in-dep5-copyright
- binary-file-built-without-LFS-support
- debian-tests-control-is-not-a-regular-file
- debian-tests-control-uses-national-encoding
- debug-file-with-no-debug-symbols
- desktop-entry-lacks-keywords-entry
- dir-or-file-in-build-tree
- dir-or-file-in-etc-opt
- dir-or-file-in-home
- file-name-is-not-valid-UTF-8
- font-adobe-copyrighted-fragment-no-credit
- font-package-not-multi-arch-foreign
- illegal-runtime-test-name
- inconsistent-testsuite-field
- license-problem-gfdl-invariants
- license-problem-gfdl-invariants-empty
- menu-icon-uses-relative-path
- missing-runtime-test-file
- missing-runtime-tests-field
- package-contains-broken-symlink-wildcard
- package-contains-unsafe-symlink
- runtime-test-file-is-not-a-regular-file
- source-contains-unsafe-symlink
- unknown-runtime-tests-feature
- unknown-runtime-tests-field
- unknown-runtime-tests-restriction
- unknown-testsuite
- vcs-field-bitrotted
- vcs-git-uses-invalid-user-uri
- zip-parse-error
+ Removed:
- unneeded-build-dep-on-quilt
.
* checks/*:
+ [NT] Avoid following unsafe symlinks. (CVE-2013-1429)
* checks/binaries{,.desc}:
+ [NT] Accept libx32 as a bi-arch directory.
+ [NT] Correct reference policy reference. Thanks to
Samuel Bronson for the correction. (Closes: #698234)
+ [NT] Detect debug ELF binaries with no debug symbols.
Thanks to Nelson A. de Oliveira for the report.
(Closes: #668437)
+ [NT] Check for binaries built without LFS. This can
only be checked for 32bit binaries as 64bit binaries
have LFS by definition. Thanks to Guillem Jover for
the report and patches. (Closes: #670963)
+ [NT] Apply patch from Samuel Bronson to bump severity
(but decrease certainty) of the "not linked against
libc" tags. (Closes: #698720)
* checks/copyright:
+ [NT] Apply patch from Evgeni Golov to avoid false
positive tag when the MPL-2.0 license appears in the
copyright file. (See #626454)
* checks/cruft{,.desc}:
+ [NT] Do not emit the license-problem-json-evil tag for
non-free packages.
+ [NT] Apply patch from Bastien Roucariès to catch GFDL
licenses with invariants (etc.). (Closes: #695967)
+ [NT] Correct description of an autotools tag. Thanks
to Alberto Garcia and Timo Juhani Lindfors for the
report and patch. (Closes: #703490)
+ [NT] Check for unsafe symlinks (outside common testsuite
paths).
* checks/debconf:
+ [NT] Fix several path traversal issues that could leak
information about the host system. (CVE-2013-1429)
* checks/debhelper{,.desc}:
+ [JW] Assume the proper python helpers are called if a
(Makefile) variable is used. (Closes: #659335)
+ [JW] Promote python-depends-but-no-python-helper and
python3-depends-but-no-python3-helper to non-experimental.
* checks/description:
+ [NT] Ignore "extended-description-is-probably-too-short"
for metapackages. Thanks to Axel Beckert for the
report.
* checks/duplicate-files.desc:
+ [NT] Demote severity of "duplicate-files" tag to pedantic.
* checks/fields{,.desc}:
+ [NT] Apply patch from Samuel Bronson to detect some
broken or poor Vcs URLs. Also thanks to James McCoy for
his report. (Closes: #652595)
+ [JW] Reduce severity of b-d-on-python-dev-with-no-arch-any
to minor.
+ [NT] Skip "depends-on-packaging-dev" for metapackages.
+ [NT] Apply patch from Gregor Herrmann to catch metacpan
homepage links with versions. (Closes: #700110)
+ [NT] Apply patch from Vasudev Kamath to detect fonts
packages without a Multi-Arch foreign (or allowed) field.
(Closes: #701061)
* checks/files{,.desc}:
+ [NT] Apply patch from Bastien Roucariès to catch paths
in (common) build dirs. (Closes: #678857)
+ [NT] Do not suggest the use of "virtual package" as a way
to suppress empty-binary-package. Lintian will still
accept it the phrase for now.
+ [NT] Accept libx32 as an bi-arch directory.
+ [NT] Ignore gzipped lintian overrides when checking whether
a package is empty.
+ [NT] Fix typo of Pre-Depends, thanks to Raúl Benencia for
spotting it. (Closes: #699452)
+ [NT] Add patch from Bastien Roucariès to check for another
adobe font license issues. (Closes: #705175)
+ [NT] Test for use of file names that are contain invalid
UTF-8 byte sequences. Thanks to Helmut Grohne for the
suggestion. (Closes: #704446)
* checks/init.d:
+ [NT] Fix regression where Lintian would not properly match
init.d passed to update-rc.d. Thanks to Michael Meskes for
reporting. (Closes: #698602)
+ [NT] Fix possible symlink traversal that could leak
information about the host system. (CVE-2013-1429)
* checks/java{,.desc}:
+ [NT] Report possibly broken jar files.
* checks/md5sums:
+ [NT] Fix path traversal issue that could leak information
about the host system.
* checks/menu-format{,.desc}:
+ [NT] Apply patch from Bastien Roucariès to detect missing
"Keywords" in desktop files. Thanks to Jeremy Bicha for
the report. (Closes: #693918)
+ [NT] Apply patch from Matthias Klumpp to add missing
"Science" category. (Closes: #697693)
+ [NT] Apply patch from Thomas Preud'homme to detect uses of
relative icons in menu files. (Closes: #697916)
+ [NT] Document why only XPM are allowed in the tag description
of menu-icon-not-in-xpm-format. (Closes: 591812)
* checks/menus:
+ [NT] Fix path traversal issue that could leak information
about the host system. (CVE-2013-1429)
* checks/patch-systems{,.desc}:
+ [NT] Retire unneeded-build-dep-on-quilt, it is only a pedantic
tag and apparently not too accurate. Thanks to Charles Plessy
and Frank Kuester for the reports. (Closes: #615516, #681061)
* checks/po-debconf:
+ [NT] Unconditionally set INTLTOOL_EXTRACT.
* checks/rules:
+ [NT] Remove ant1.7 as alternative to ant as ant1.7 has been
removed from Wheezy.
* checks/scripts:
+ [NT] Treat scripts in /usr/src/ like they were documentation.
* checks/shared-libs:
+ [NT] Special case gcc packages when looking for dev symlinks.
gcc stores its dev symlinks in some special directories.
+ [NT] Fix path traversal issue that could leak information
about the host system. (CVE-2013-1429)
* checks/source-copyright{,.desc}:
+ [JW,NT] Add a separate tag for ambiguous DEP-5 paragraphs,
where Lintian cannot reliably figure out what is intended.
Thanks to Julian Taylor for the report. (Closes: #652380)
+ [NT] Add paragraph line number to the "field typo" tag.
* checks/symlinks{,.desc}:
+ [NT] Warn about broken symlinks that contains a literal "*"
in their target. This is usually a sign that a wildcard did
not properly expand. Thanks to Bernd Zeimetz for the report.
(Closes: #683737)
+ [NT] Demote certainty of package-contains-broken-symlink to
wild-guess.
+ [NT] Check for unsafe symlinks in binary packages.
* checks/testsuite{,.desc}:
+ [NT] New check written by Nicolas Boulenguez to catch some
mistakes with the new autopkgtest tests.
.
* collection/*:
+ [NT] Avoid reading files outside the package root.
(CVE-2013-1429)
* collection/{changelog-file,debian-readme}:
+ [NT] Ignore files in usr/doc/<pkg>.
+ [NT] Skip collection if usr/share/doc/<pkg> is not contained
within the package root. (CVE-2013-1429)
* collection/hardening-info{,-helper,.desc}:
+ [NT] Whitelist "memset" and "memmove" as "always safe"
functions. Thanks to Sebastian Ramacher for the suggestion
and Roland Stigge for the report. (Closes: #685299)
+ [NT] Remove work around for #677530
* collection/index{,.desc}:
+ [NT] Fix missing trailing slash on dirnames and bump index
version accordingly. Thanks to Nicolas Boulenguez for
noticing.
* collection/java-info:
+ [NT] Gracefully handle broken Jar files. Thanks to Paul
Tagliamonte for the report. (Closes: #700543)
* collection/strings:
+ [NT] Fix a regression in filtering out "debug" ELF binaries.
.
* data/binaries/arch-regex:
+ [NT] Recognise x32 as an ELF32 binary.
* data/fields/obsolete-packages:
+ [NT] Apply patch from Guillem Jover to add fuse-utils as an
obsolete package. (Closes: #697534)
* data/files/locale-codes:
+ [NT] Refresh against sid data files.
* data/menu-format/add-categories:
+ [NT] Apply patch from Matthias Klumpp to add missing
subcategories.
* data/output/manual-references:
+ [NT] Refresh with Policy 3.9.4.
* data/scripts/interpreter:
+ [NT] Add cfagent as a known interpreter. Thanks to Andreas
Mundt for the suggestion. (Closes: #699670)
* data/scripts/versioned-interpreters:
+ [NT] Apply patch from Thijs Kinkhorst to add lua5.2 as a
versioned alternative to lua. (Closes: #698704)
* data/shared-libs/ldconfig-dirs:
+ [NT] Add libx32 and usr/libx32 used by some gcc x32 bi-arch
packages.
* data/spelling/corrections{,-case}:
+ [JW] Add correction for "privileges". (Closes: #700882)
+ [NT] Warn about incorrect case of "OpenStreetMap". Thanks
to Paul Wise for the patch.
.
* debian/control:
+ [NT] Bump dependency on hardening-includes to avoid having
to work around #677530.
+ [NT] Add XS-Testsuite for autopkgtest tests.
+ [NT] Add Build-Depends on libtest-perl-critic-perl.
+ [NT] Add (Build-)Depends on liblist-moreutils-perl and
libfile-basedir-perl.
+ [NT] Add versioned (Build)-Depends on perl | libautodie-perl.
* debian/lintian.install:
+ [NT] Install Test::Lintian in /usr/share/lintian/lib.
* debian/rules:
+ [NT] Include the new Tutorial pods in the "api-doc" target.
* debian/tests/{control,testsuite,testsuite-legacy}:
+ [NT] New file.
.
* doc/tutorial/Lintian/Tutorial{/WritingChecks}.pod:
+ [NT] Add POD tutorial on writing checks.
.
* frontend/lintian{,-info}:
+ [NT] Add --include-dir command line option. This can be used
to load additional Lintian checks, profiles, libraries or data.
(Closes: #359059)
* frontend/lintian:
+ [NT] Remove "make-shift" lab-query support now that
Lintian::Lab supports it.
+ [NT] Add new command line option "--[no-]user-dirs" to disable
loading from $HOME/.lintian{rc,/} and /etc/lintian{rc,/}.
+ [NT] Error out early if a check cannot be loaded.
+ [NT] Make --suppress-tags{,--from-file} do something when used
with --check-part and document that --tags causes the option
to be ignored.
+ [NT] Accept the magic token "{VENDOR}" as a part of the value
to --profile.
+ [NT] Add new command line option "--ignore-lintian-env" to make
lintian ignore all environment variables starting with LINTIAN_.
+ [NT] Add a new command line option --no-display-experimental
and --default-display-level. These options can be used to
override some display options from the config file.
(Closes: #703985)
+ [NT] Also search for the lintianrc file in XDG_CONFIG_{HOME,DIRS}.
The default paths are now ~/.config/lintian/lintianrc and
/etc/xdg/lintian/lintianrc. The previous lintianrc paths are
still accepted.
+ [NT] Stop looking for lintianrc files in the LINTIAN_ROOT.
+ [NT] Stop exporting LINTIAN_LAB to processes run by lintian.
+ [NT] Use of --root (or setting LINTIAN_ROOT) will now imply
the option --no-user-dirs by default.
.
* lib/*:
+ [NT] Use "parent" instead of the "base" pragma.
* lib/Lintian/Collect.pm:
+ [NT] Add "is_non_free" method to easily check of a given
package appears to be non-free.
* lib/Lintian/Collect/Binary.pm:
+ [NT] Re-instate the "TEXTREL" marker. This fixes a regression
where shared-libs compiled without pic was not reported.
Thanks to Dmitry Shachnev for the assistance in debugging this.
+ [NT] Recognise packages in section "metapackages" as a
metapackage. Thanks to Axel Beckert for the report.
(Closes: #698610)
* lib/Lintian/Collect/Package.pm:
+ [NT] Ensure the "root" entry of indices do not contain itself.
(Closes: #695866)
+ [NT] Add warning to unpacked and debfiles when they are given a
path with leading slash or dot-slash.
+ [NT] When a check requests access to a raw file (or dir) in the
package, ensure that the resulting path does not "escape" the
top level directory. This should preemptively guard against some
(but not all) traversal attempts.
* lib/Lintian/Path.pm:
+ [NT] Document that link_resolved is not sufficient to test the
"safeness" of a symlink.
* lib/Lintian/Command/Simple.pm:
+ [NT] Use constant time lookup access instead of linear scan with
"hashref" wait.
* lib/Lintian/Lab.pm:
+ [NT] Add lab_query method to handle lab-queries directly.
+ [NT] Fix bitrot of repair_lab and rename it to repair for
consistency.
* lib/Lintian/Lab{,/Manifest}.pm:
+ [NT] Add support for grouping of manifests.
* lib/Lintian/Lab/Manifest.pm:
+ [NT] Fix an error in visit_all when sufficient keys for an
exact look up was given.
* lib/Lintian/Processable.pm:
+ [NT] Fix issue where packages loaded from the lab indices would
sometimes get a wrong source-version.
* lib/Lintian/Relation/Version.pm:
+ [NT] Add and export "versions_comparator" that can be used for
sorting purposes.
* lib/Lintian/Tag/Info.pm:
+ [NT] Use "&" in the manpage ref URLs to generate proper HTML.
Thanks to Vasudev Kamath for reporting the issue.
+ [NT] Produce a more helpful error message when a tag has an
invalid severity or certainty. (Closes: #703978)
* lib/Lintian/Tags.pm:
+ [NT] Deal with parsing an ambiguous override a bit better. This
solves false-positive malformed-override, where Lintian misparsed
the tag name as a package name. (Closes: #699628)
* lib/Lintian/Util.pm:
+ [NT] Reject partially signed Deb822 files. Most Deb822 files
are not signed at all; but those that are should be completely
covered by a signature. (Closes: #696230)
+ [ADB] Fix a typo in the matching of expected delimiters for some
signed messages; thanks Samuel Bronson.
+ [NT] Add sub to check if a path is contained within a given dir.
+ [NT] Fix bug in resolve_pkg_path that made it resolve some links
incorrectly.
+ [NT] Document that resolve_pkg_path is not sufficient to test the
"safeness" of a symlink.
.
* man/lintian.pod.in:
+ [NT] Document that --pedantic is the same as "-L +=pedantic".
(Closes: #703989)
+ [NT] Fix typo of the "override" variable in the config example.
.
* private/refresh-locale-codes:
+ [JW,NT] Ignore the "zxx" locale code, which means "No
linguistic content". (Closes: #692548)
.
* reporting/config:
+ [JP] Remove unused $GRAPH_DIR configuration option.
* reporting/graphs/{statistics,tags}.gpi:
+ [JP] Tweak graph size to allow longer labels, and force font
family.
* reporting/harness:
+ [NT] Add --to-stdout option to emit log information to
stdout as well as the log files.
+ [NT] Always schedule packages in groups. Otherwise, binNMU'ed
binaries would not be tested together with their source
package (and architecture independent packages).
+ [NT] Schedule groups in chunks (default 512 per chunk).
This makes the Lintian processes shorter and makes memory
reclaimable sooner. (Closes: #695839)
+ [NT] Remove "make-shift" lab-query support now that
Lintian::Lab supports it.
* reporting/html_reports:
+ [NT] Update xrefs to include source version.
+ [NT] Generate a text file suitable for Apache's RewriteMap to
map source packages to the full report for that source.
Thanks to Joerg "Gannef" Jasper for the suggestion to use
RewriteMap. (Closes: #696960)
+ [JP] Fix version labels glitches.
+ [JP] Use global $GRAPHS_RANGE_DAYS.
+ [JP] Pass graph variables to index and tag templates.
* reporting/lintian.css:
+ [JP] Tweak graph alignment.
* reporting/templates/{packages,maintainer,tag}.tmpl:
+ [NT] Properly handle multiple versions of the same source and
add versioned anchors to them.
* reporting/templates/{index,tag}.tmpl:
+ [JP] Include history graphs in HTML templates.
* reporting/templates/tag.tmpl:
+ [NT] Fix "empty <ul>" tag when tag has no "extra" information.
Thanks to Vasudev Kamath for reporting the issue.
Checksums-Sha1:
ddf3c09ac3eef3279c01143e76fad1f179f3fbde 2744 lintian_2.5.12.dsc
4a3406ccca10ba23370b1bdc6b289325492d55da 1214604 lintian_2.5.12.tar.gz
53a0feb6f84d5e5aa8b45be10b2509806c5ba258 764638 lintian_2.5.12_all.deb
Checksums-Sha256:
786a1a4514c8a164ece69e0993233a21239c4154a319769b78f12ca00f4a2e55 2744 lintian_2.5.12.dsc
ff9e384c6ccca2d548f1a0556ff48a618a459202436ef272353e5f2f2e285a69 1214604 lintian_2.5.12.tar.gz
5bbda1a37dff54fed6a147238ed01c4ed5f42cd35bb23f62f2bf2985d4491e9c 764638 lintian_2.5.12_all.deb
Files:
5fb5f694a00e8f335221c67a9411e9e0 2744 devel optional lintian_2.5.12.dsc
ebbe19d8d72bf1736ddf3c5589bf26d4 1214604 devel optional lintian_2.5.12.tar.gz
3dfec91cac8da7b18bee9d901cd7f333 764638 devel optional lintian_2.5.12_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJRbXXBAAoJEAVLu599gGRCn8oP/2WAwhVIDySPMTj20WNRIAx4
I9UdqfB0LHr0hG7nk+9MI7pk5kPtUqo9Bw3qioxUu/8Seq6KIgsM40oyfdy5/N4a
3tSv3zwrQGWV9NDprzfjPmANk6tMHCt0IhAYhrzPIwIQd6cHwUBCdX7HwyJr/DoK
cVa+C4AYtFb3wnDkhxb8ri7JGyb97d5OQpVuLGyK4qCSMbQRABdnARcrlCPAu0tl
uuA3uVZU0m8nIlk4Cu907AvbT73WPgGefmuLRn6wrgLqOd+ZY5VKzkg4vt8Gwyjy
ZI5mOeEci2Uk8hKQ1f6gRQLKAh1IqRlErmVoRaksqe5RiZrkZ6vG877uDCbhhszB
AS0UG+tVBypQxc9WfLtmsq3rvnrqXnis0IpIXWAb2AYxlcFGSoXr88LZhToDZIco
CYUusUIKiQU7V3BEk2zqmlRa9jW6rDKHXNYaoh0qpPDH6jSs+LahMimnjfn6Xb5e
wcYsuyDj0n+Qea6lX4dvRayF5Htv9vfBd3EW6MrYsEarCCU5YBRWD9cnoE2r/mfq
pUPyJTXPlqVDm6QU1do7bpxjlxomJBgcRTQCJ9MKI+qqkqsGZQOXeKOB4g2njzTh
b2IEF1IGQn0PInjBIfwvwtRs916v20pR5/HGzL1vS/4TwRezagtg4uClZ3MUNiaZ
4IIOE7aSbi9ub05ZZOHJ
=DHVN
-----END PGP SIGNATURE-----