Make orig-tarball-missing-upstream-signature a "dsc" check so it appears when... (e05ddc3d) · Commits · lintian / lintian

checks/changes-file.desc

+0 −20

Original line number	Diff line number	Diff line
		@@ -193,26 +193,6 @@ Info: The distribution in the <tt>Changes</tt> field copied from
		to be released yet.
		Ref: #542747

		Tag: orig-tarball-missing-upstream-signature
		Severity: normal
		Certainty: certain
		Info: The packaging includes an upstream signing key but the corresponding
		<tt>.asc</tt> signature for one or more source tarballs are not included
		in your .changes file.
		.
		Please ensure a
		<tt><package>_<version>.orig.tar.<ext>.asc</tt> file
		exists in the same directory as your
		<tt><package>_<version>.orig.tar.<ext></tt> tarball prior
		to <tt>dpkg-source --build</tt> being called.
		.
		If you are repackaging your source tarballs for Debian Free Software
		Guidelines compliance reasons, ensure that your package version includes
		<tt>dfsg</tt> or similar.
		.
		Support for signatures was added to <tt>pristine-tar</tt> in version 1.41
		and support in <tt>git-buildpackage</tt> is being tracked in #872864.

		Tag: changed-by-invalid-for-derivative
		Severity: serious
		Certainty: certain

checks/changes-file.pm

+1 −24

Original line number	Diff line number	Diff line
		@@ -23,7 +23,7 @@ use strict;
		use warnings;
		use autodie;

		use List::MoreUtils qw(none any);
		use List::MoreUtils qw(any);

		use Lintian::Tags qw(tag);
		use Lintian::Check qw(check_maintainer);
		@@ -31,7 +31,6 @@ use Lintian::Data;
		use Lintian::Util qw(get_file_checksum);

		my $KNOWN_DISTS = Lintian::Data->new('changes-file/known-dists');
		my $SIGNING_KEY_FILENAMES = Lintian::Data->new('common/signing-key-filenames');

		sub run {
		my (undef, undef, $info, undef, $group) = @_;
		@@ -184,18 +183,6 @@ sub run {
		check_maintainer($info->field('changed-by'), 'changed-by');
		}

		my $has_signing_key = 0;
		my $src = $group->get_source_processable;
		if ($src) {
		for my $key_name ($SIGNING_KEY_FILENAMES->all) {
		my $path = $src->info->index_resolved_path("debian/$key_name");
		if ($path and $path->is_file) {
		$has_signing_key = 1;
		last;
		}
		}
		}

		my $files = $info->files;
		my $path = readlink($info->lab_data_path('changes'));
		my %num_checksums;
		@@ -203,16 +190,6 @@ sub run {
		foreach my $file (keys %$files) {
		my $file_info = $files->{$file};

		# Ensure all orig tarballs have a signature if we have an upstream
		# signature.
		if ( $has_signing_key
		&& $file =~ m/(^.*\.orig(?:-[A-Za-z\d-]+)?\.tar)\./
		&& $file !~ m/\.asc$/
		&& !$info->repacked) {
		tag 'orig-tarball-missing-upstream-signature', $file
		if none { exists $files->{"$_.asc"} } ($file, $1);
		}

		# check section
		if ( ($file_info->{section} eq 'non-free')
		or ($file_info->{section} eq 'contrib')) {

checks/control-file.desc

+20 −0

Original line number	Diff line number	Diff line
		@@ -418,3 +418,23 @@ Info: For licensing reasons packages from the non-free section are not
		license) add <tt>XS-Autobuild: yes</tt> into the header part of
		debian/control and get the package added to the "autobuild" whitelist.
		Ref: devref 5.10.5

		Tag: orig-tarball-missing-upstream-signature
		Severity: normal
		Certainty: certain
		Info: The packaging includes an upstream signing key but the corresponding
		<tt>.asc</tt> signature for one or more source tarballs are not included
		in your .changes file.
		.
		Please ensure a
		<tt><package>_<version>.orig.tar.<ext>.asc</tt> file
		exists in the same directory as your
		<tt><package>_<version>.orig.tar.<ext></tt> tarball prior
		to <tt>dpkg-source --build</tt> being called.
		.
		If you are repackaging your source tarballs for Debian Free Software
		Guidelines compliance reasons, ensure that your package version includes
		<tt>dfsg</tt> or similar.
		.
		Support for signatures was added to <tt>pristine-tar</tt> in version 1.41
		and support in <tt>git-buildpackage</tt> is being tracked in #872864.

checks/control-file.pm

+24 −1

Original line number	Diff line number	Diff line
		@@ -24,7 +24,7 @@ use warnings;
		use autodie;

		use List::MoreUtils qw(any);
		use List::Util qw(first);
		use List::Util qw(first none);

		use Lintian::Data ();
		use Lintian::Relation ();
		@@ -46,6 +46,8 @@ my $KNOWN_DBG_PACKAGE = Lintian::Data->new(
		return qr/$_[0]/xms;
		});

		my $SIGNING_KEY_FILENAMES = Lintian::Data->new('common/signing-key-filenames');

		sub run {
		my ($pkg, undef, $info, undef, $group) = @_;
		my $debian_dir = $info->index_resolved_path('debian/');
		@@ -459,6 +461,27 @@ sub run {
		and $info->is_non_free
		and $info->source_field('xs-autobuild', 'no') eq 'no';

		# Ensure all orig tarballs have a signature if we have an upstream
		# signature.
		my $files = $info->files;
		my $has_signing_key = 0;
		for my $key_name ($SIGNING_KEY_FILENAMES->all) {
		my $path = $info->index_resolved_path("debian/$key_name");
		if ($path and $path->is_file) {
		$has_signing_key = 1;
		last;
		}
		}
		foreach my $file (keys %$files) {
		if ( $has_signing_key
		&& $file =~ m/(^.*\.orig(?:-[A-Za-z\d-]+)?\.tar)\./
		&& $file !~ m/\.asc$/
		&& !$info->repacked) {
		tag 'orig-tarball-missing-upstream-signature', $file
		if none { exists $files->{"$_.asc"} } ($file, $1);
		}
		}

		return;
		}

lib/Lintian/Collect/Source.pm

+84 −1

Original line number	Diff line number	Diff line
		@@ -30,7 +30,7 @@ use Lintian::Relation;
		use Parse::DebianChangelog;

		use Lintian::Util
		qw(get_file_checksum read_dpkg_control open_gz $PKGNAME_REGEX $PKGREPACK_REGEX);
		qw(get_file_checksum read_dpkg_control open_gz $PKGNAME_REGEX $PKGREPACK_REGEX strip);

		=head1 NAME

		@@ -187,6 +187,89 @@ sub native {
		return $self->{native};
		}

		=item files

		Returns a reference to a hash containing information about files listed
		in the .changes file. Each hash may have the following keys:

		=over 4

		=item name

		Name of the file.

		=item size

		The size of the file in bytes.

		=item checksums

		A hash with the keys being checksum algorithms and the values themselves being
		hashes containing

		=over 4

		=item sum

		The result of applying the given algorithm to the file.

		=item filesize

		The size of the file as given in the .changes section relating to the given
		checksum.

		=back

		=back

		Needs-Info requirements for using I<files>: L<Lintian::Collect/field ([FIELD[, DEFAULT]])>

		=cut

		sub files {
		my ($self) = @_;

		return $self->{files} if exists $self->{files};

		my %files;

		my $file_list = $self->field('files') \|\| '';
		local $_;
		for (split /\n/, $file_list) {
		strip;
		next if $_ eq '';

		my ($md5sum,$size,$file) = split(/\s+/o, $_);
		next if $file =~ m,/,;

		$files{$file}{checksums}{md5} = {
		'sum' => $md5sum,
		'filesize' => $size,
		};
		$files{$file}{name} = $file;
		$files{$file}{size} = $size;
		}

		foreach my $alg (qw(sha1 sha256)) {
		my $list = $self->field("checksums-$alg") \|\| '';
		for (split /\n/, $list) {
		strip;
		next if $_ eq '';

		my ($checksum, $size, $file) = split(/\s+/o, $_);
		next if $file =~ m,/,;

		$files{$file}{checksums}{$alg} = {
		'sum' => $checksum,
		'filesize' => $size
		};
		}
		}

		$self->{files} = \%files;
		return $self->{files};
		}

		=item repacked

		Returns true if the source package has been "repacked" and false otherwise.