daklib/checks.py

@@ -460,26 +460,37 @@ class BinaryCheck(Check):
 
         # check dependency field syntax
 
-        for field in ('Breaks', 'Conflicts', 'Depends', 'Enhances', 'Pre-Depends',
-                      'Provides', 'Recommends', 'Replaces', 'Suggests'):
+        def check_dependency_field(
+                field, control,
+                dependency_parser=apt_pkg.parse_depends,
+                allow_alternatives=True,
+                require_strict_dependency=False):
             value = control.get(field)
             if value is not None:
                 if value.strip() == '':
                     raise Reject('{0}: empty {1} field'.format(fn, field))
                 try:
-                    apt_pkg.parse_depends(value)
+                    depends = dependency_parser(value)
                 except:
                     raise Reject('{0}: APT could not parse {1} field'.format(fn, field))
+                for group in depends:
+                    if not allow_alternatives and len(group) != 1:
+                        raise Reject('{0}: {1}: alternatives are not allowed'.format(fn))
+                    if require_strict_dependency \
+                       and any(dependency[2] != '=' for dependency in group):
+                        raise Reject('{0}: {1}: only strict dependencies ("=") are allowed'.format(fn, field))
 
-        for field in ('Built-Using',):
-            value = control.get(field)
-            if value is not None:
-                if value.strip() == '':
-                    raise Reject('{0}: empty {1} field'.format(fn, field))
-                try:
-                    apt_pkg.parse_src_depends(value)
-                except:
-                    raise Reject('{0}: APT could not parse {1} field'.format(fn, field))
+        for field in ('Breaks', 'Conflicts', 'Depends', 'Enhances', 'Pre-Depends',
+                      'Recommends', 'Replaces', 'Suggests'):
+            check_dependency_field(field, control)
+
+        check_dependency_field("Provides", control,
+                               allow_alternatives=False,
+                               require_strict_dependency=True)
+        check_dependency_field("Built-Using", control,
+                               dependency_parser=apt_pkg.parse_src_depends,
+                               allow_alternatives=False,
+                               require_strict_dependency=True)
 
 
 class BinaryTimestampCheck(Check):

docs/debian-specific.rst

@@ -83,10 +83,11 @@ NEW processing
     CHANGES=FILENAME.changes
     dak process-new
     cd /srv/security-master.debian.org/queue/new/COMMENTS
-    { echo NOTOK; echo; echo "Moving back to unchecked"; } > "REJECT.${CHANGES}"
-    rm "ACCEPT.${CHANGES}"
+    echo $'NOTOK\n\nMoving back to unchecked' > "REJECT.${CHANGES%.changes}"
+    rm "ACCEPT.${CHANGES%.changes}"
     dak process-policy new; dak clean-suites
     cd /srv/security-master.debian.org/queue/reject
+    # Careful! This is only correct if there are no previous uploads!
     dak admin forget-signature ${CHANGES}
     dcmd mv -nt ../unchecked -- ${CHANGES}
     /srv/security-master.debian.org/dak/config/debian-security/cronscript unchecked