package Lintian::cpy_check; use strict; use warnings; use autodie; sub run my ($pkg, undef, $info) = @_; my $filename = "usr/share/doc/$pkg/copyright"; # BAD: This is an example of doing it wrong open(my $fd, '<', $info->unpacked($filename)); ...; close($fd); return;This has two trivial vulnerabilities[2].
package Lintian::cpy_check; use strict; use warnings; use autodie; use Lintian::Util qw(is_ancestor_of); sub run my ($pkg, undef, $info) = @_; my $filename = "usr/share/doc/$pkg/copyright"; my $root = $info->unpacked my $path = $info->unpacked($filename); if ( -f $path and is_ancestor_of($root, $path)) open(my $fd, '<', $path); ...; close($fd); return;Where is_ancestor_of is the only available utility to assist you currently. It hides away some 10-12 lines of code to resolve the two paths and correctly asserting that $path is (an ancestor of) $root. Prior to Lintian 2.5.12, you would have to do that ancestor check by hand in each and every check[4]. In the new version, the correct code would look something like this:
package Lintian::cpy_check; use strict; use warnings; use autodie; sub run my ($pkg, undef, $info) = @_; my $filename = "usr/share/doc/$pkg/copyright"; my $path = $info->index_resolved_path($filename); if ($path and $path->is_open_ok) my $fd = $path->open; ...; close($fd); return;Now, you may wonder how that promotes safer code. At first glance, the checking code is not a lot simpler than the previous correct example. However, the new code has the advantage of being safer even if you forget the checks. The reasons are:
One comment Liked this article? Click here. My blog is Flattr-enabled.
<sney> it almost sounds like you're working to replace yourself with automation
I got an error in the man page generation phase -- because at build-time, I don't have requests-oauthlib: make[2]: Leaving directory /tmp/python-pypump-0.5-1+dfsg/docs' help2man --no-info \ -n 'sets up an environment and oauth tokens and allows for interactive testing' \ --version-string=0.5.1 /tmp/python-pypump-0.5-1+dfsg/pypump-shell > /tmp/python-pypump-0.5-1+dfsg/debian/pypump-shell.1 help2man: can't get --help' info from /tmp/python-pypump-0.5-1+dfsg/pypump-shell Try --no-discard-stderr' if option outputs to stderr make[1]: *** [override_dh_auto_build] Error 1 This seems to be because: python-pypump-0.5-1+dfsg ./pypump-shell Traceback (most recent call last): File "./pypump-shell", line 26, in <module> from pypump import PyPump, Client File "/tmp/python-pypump-0.5-1+dfsg/pypump/__init__.py", line 19, in <module> from pypump.pypump import PyPump, WebPump File "/tmp/python-pypump-0.5-1+dfsg/pypump/pypump.py", line 28, in <module> from six.moves.urllib import parse ImportError: No module named urllib $ ./pypump-shell Traceback (most recent call last): File "./pypump-shell", line 26, in <module> from pypump import PyPump, Client File "/tmp/python-pypump-0.5-1+dfsg/pypump/__init__.py", line 19, in <module> from pypump.pypump import PyPump, WebPump File "/tmp/python-pypump-0.5-1+dfsg/pypump/pypump.py", line 29, in <module> from requests_oauthlib import OAuth1 ImportError: No module named requests_oauthlibThe deeper problem was a missing build-dependency, and I explained that in my email. But the meta problem is that Simon didn't try building this in a pbuilder, or otherwise clean build environment. Simon fixed these problems, and submitted a fresh package to Paul Tagliamonte and myself. It happened to have some typos in the names of the new build dependencies. Paul reviewed the fixed package, noticed the typos, fixed them, and uploaded it. Simon had forgotten to do a test build the second time, too, which is an understandable human failure. There was a two-day delay between Simon's fixed resubmission, and Paul signing+uploading the fixed result. In a pedagogical sense, there's something disappointing about that exchange for me: Paul fixed an error Simon introduced, so we're not teaching Simon to take total responsibility for his packages in Debian, nor to understand the Debian system as well as he could. (Luckily, I think Simon already understands the importance of taking responsibility! In this case, it's just a hypothetical in this case.)
<paulproteus> The automation here, I think, is really interesting. <paulproteus> What I really want is for mentees to show up to me and say "Here is my package + build log with pbuilder, can you sponsor it please?" <Unit193> Oooooh! -*- Unit193 gets ideas. <paulproteus> Although the irony is that I actually like the community-building and relationship-building nature of having these things be conversations. <bremner> how will this brave new world cope with licensing issues? <paulproteus> bremner: It's not a replacement for actual review, just a tool-assist. <paulproteus> bremner: You might be relieved to know that much of Unit193's and my back and forth related to get-orig-source and licensing. (-: <bremner> I didn't doubt you ;). <paulproteus> If necessary I can just be a highly productive reviewer, but I would prefer to figure out some way that I can get other non-paulproteus people to get a similar assist. <paulproteus> I think the current blocker is "omg travis why are you bound to githubbbbbbbb" which is a reasonable concern.
Build-Depends: large (>= 1.0), small <!profile.stage1>
But until packages with that syntax can hit the archive, a few more tools need
to understand the syntax. The patch we have for sbuild is very simple
because sbuild relies on libdpkg for dependency parsing.
We have a patch for apt too, but we have to rebase it for the current apt
version and have to adapt it so that it works exactly like the functionality
dpkg implements. But before we can do that we have to decide how to handle
mixed positive and negative qualifiers or whether to remove this feature
altogether because it causes too much confusion. The relevant thread on
debian-dpkg starts here.
./tools
directory contains many Python
scripts using the networkx module to modify GraphML and the apt_pkg module to
modify rfc822 files.
tred
tool which is part of graphviz and
allows to calculate the transitive reduction of a graph. This can help
making horrible situations much better.
Today I had to pleasure of releasing Lintian 2.5.18.1. It is a minor bug fix release on top of Lintian 2.5.18 (which I also released today ). When I was about to deploy the new version of Lintian on lintian.debian.org, I noticed a couple of errors in the log file that smelled of bugs. Indeed, when I investigated them I found two bugs, which were both introduced in Lintian 2.5.17.
Due to another bug in 2.5.17 and the some of the false-positives fixes, we are now doing a full run on lintian.debian.org. After having run for 7 hours, Lintian passed cipux . My rough estimate suggests that it will take 8 days at the current rate. For comparision, when we added amd64, Lintian spent 5 days processing all the new binaries (plus their source and the old binaries built from those source packages).
Of course estimate is rather rough. In particular, I am not sure that the heavy duty groups (e.g. linux and libreoffice) are evenly spread out among the letters of the alphabeth. Anyhow, there will be no updates on lintian.debian.org for the next week or so.
Next.