sisyphus_check-0.8.39/000075500000000000000000000000001215307214500146355ustar00rootroot00000000000000sisyphus_check-0.8.39/fhs000064400000000000000000000012771215307214500153470ustar00rootroot00000000000000# pkgname_pattern pathname_regexp MAKEDEV ^/dev/MAKEDEV$ acct ^/var/account($|/) anonftp ^/var/ftp($|/) apache-common ^/var/www($|/) arm-palmos-* ^/usr/arm-palmos($|/) avahi-daemon ^/var/avahi$ avahi-daemon ^/var/resolv/var/avahi$ avr-* ^/usr/avr($|/) chrooted-resolv ^/var/resolv($|/) dev ^/dev($|/) dev-minimal ^/dev($|/) gpm ^/dev/gpmctl$ m68k-palmos-* ^/usr/m68k-palmos($|/) mingw32-* ^/usr/i586-pc-mingw32($|/) mingw64-* ^/usr/x86_64-pc-mingw32($|/) msp430* ^/usr/msp430($|/) oracle-preinstall ^/opt/oracle($|/) pam[02]_mktemp ^/tmp/\.private$ prc-tools-common ^/opt/palmdev$ rootfiles ^/root($|/) sysvinit ^/dev/initctl$ udev ^/dev($|/) webserver-common ^/var/www($|/) sisyphus_check-0.8.39/sisyphus-check-functions000064400000000000000000000054701215307214500215360ustar00rootroot00000000000000#!/bin/sh -efu # # Copyright (C) 2003-2009 Stanislav Ievlev , # Dmitry V. Levin , # Alexey Gladkov # # The sisyphus_check utility. # # This file is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # unset \ LANG \ LANGUAGE \ LINGUAS \ LC_CTYPE \ LC_NUMERIC \ LC_TIME \ LC_COLLATE \ LC_MONETARY \ LC_MESSAGES \ LC_PAPER \ LC_NAME \ LC_ADDRESS \ LC_TELEPHONE \ LC_MEASUREMENT \ LC_IDENTIFICATION \ LC_ALL \ ||: PROG="${0##*/}" Info() { printf %s\\n "$PROG: $*" >&2 } Fatal() { printf %s\\n "$PROG: $*" >&2 exit 1 } quiet= Message() { [ -z "$quiet" ] || return 0 printf %s\\n "$*" } show_bad_files= FileError() { local text="$1" shift || return local f="${1-}" if [ -n "$f" ]; then text="${text#$f: }" text="$f: $text" [ -z "$show_bad_files" ] || printf %s\\n "$f" fi printf %s\\n "$(printf %s "$text" |tr '[:cntrl:]' ' ')" >&2 } CheckError() { Message "$PROG: ${check:+check-${check#*-check-} }ERROR: $*" } fs_list= cleanup() { trap - EXIT [ -z "$fs_list" ] || rm -f -- "$fs_list" exit "$@" } exit_handler() { cleanup $? } signal_handler() { cleanup 1 } current_time= packager_pattern= init_check() { [ -z "$fs_list" ] || return 0 unset current_time packager_pattern local fs_filelist trap exit_handler EXIT trap signal_handler HUP PIPE INT QUIT TERM fs_list="$(mktemp -t "$PROG.XXXXXXXXXX")" fs_filelist="$(LC_ALL=C rpmquery -l filesystem)" || Fatal 'rpmquery filesystem failed.' printf %s "$fs_filelist" |LC_COLLATE=C sort -u >"$fs_list" || Fatal 'sort failed.' current_time="$(date +%s)" || Fatal 'date failed.' local s='[:space:]' packager_pattern="[^<$s][$s]+<[$s]*[^@>$s]+([$s]*@[$s]*|[$s]+at[$s]+)(packages[$s]*[.][$s]*)?altlinux([$s]*[.][$s]*|[$s]+dot[$s]+)(com|net|org|ru)[$s]*>" } package_type= get_package_type() { local file header package_type= file="$1" && shift header="$(od -A n -N 8 -t x1 -- "$file")" || return case "$header" in ' ed ab ee db '??' '??' 00 00') package_type=bin return 0 ;; ' ed ab ee db '??' '??' 00 01') package_type=src return 0 ;; esac return 1; } oneliner() { printf %s "$*" |tr -s '[:space:]' ' ' } sisyphus_check-0.8.39/sisyphus_check000075500000000000000000000175361215307214500176230ustar00rootroot00000000000000#!/bin/sh -efu # # Copyright (C) 2003-2009 Stanislav Ievlev , # Dmitry V. Levin , # Alexey Gladkov # # The sisyphus_check utility. # # This file is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # . sisyphus-check-functions sisyphus_check_d='/etc/sisyphus_check/check.d' check_list= recurse_subdir= files= # cummulative check fast_check= run_checks() { local f="$1" && shift || return 1 local rc=0 check check_var for check in $check_list; do [ -s "$sisyphus_check_d/$check" ] || Fatal "$f: file not found or empty" check_var="no_check_${check#*-check-}" eval "[ -z \"\${$check_var-}\" ]" || continue if ! (. "$sisyphus_check_d/$check" && run_check "$f"); then [ -z "$fast_check" ] || return 1 rc=1 fi done return $rc } check_files() { init_check || Fatal 'init_check failed.' local f rc=0 for f; do if [ ! -f "$f" ]; then FileError 'not a regular file' "$f" rc=1 continue fi if ! get_package_type "$f"; then FileError 'unexpected file type' "$f" rc=1 continue fi local values if ! values="$(LC_ALL=C rpmquery -p --qf=' rpm_arch=%{arch:shescape}; rpm_buildhost=%{buildhost:shescape}; rpm_buildtime=%{buildtime:shescape}; rpm_changelogname=%{changelogname:shescape}; rpm_changelogtext=%{changelogtext:shescape}; rpm_changelogtime=%{changelogtime:shescape}; rpm_description=%{description:shescape}; rpm_distribution=%{distribution:shescape}; rpm_group=%{group:shescape}; rpm_license=%{license:shescape}; rpm_name=%{name:shescape}; rpm_packager=%{packager:shescape}; rpm_platform=%{platform:shescape}; rpm_release=%{release:shescape}; rpm_serial=%|serial?{%{serial:shescape}}|; rpm_siggpg=\"%|siggpg?{%{siggpg}}|\"; rpm_size=%{size:shescape}; rpm_sourcerpm=%{sourcerpm:shescape}; rpm_summary=%{summary:shescape}; rpm_url=%{url:shescape}; rpm_vendor=%{vendor:shescape}; rpm_version=%{version:shescape}; rpm_filenames=[%{filenames:shescape}" "]; rpm_perms_filenames=["%{filemodes:perms} "%{filenames:shescape}" "]; rpm_requires=[%{requirename:shescape}" %{requireflags} %{requireflags:depflags} "%{requireversion:shescape}" "]; rpm_provides=[%{providename:shescape}" %{provideflags:depflags} "%{provideversion:shescape}" "]; rpm_obsoletes=[%{obsoletename:shescape}" %{obsoleteflags:depflags} "%{obsoleteversion:shescape}" "]; rpm_conflicts=[%{conflictname:shescape}" %{conflictflags:depflags} "%{conflictversion:shescape}" "]; ' -- "$f")"; then FileError 'rpmquery failed' "$f" rc=1 continue fi local rpm_arch rpm_buildhost rpm_buildtime local rpm_changelogname rpm_changelogtext local rpm_changelogtime rpm_description local rpm_distribution rpm_group rpm_license rpm_name local rpm_packager rpm_platform rpm_release rpm_serial local rpm_size rpm_sourcerpm rpm_summary rpm_url local rpm_vendor rpm_version local rpm_filenames local rpm_requires rpm_provides rpm_obsoletes rpm_conflicts eval "$values" unset values [ -z "$rpm_filenames" ] || rpm_filenames="$(printf %s "$rpm_filenames" |sort -u)" [ -z "$rpm_perms_filenames" ] || rpm_perms_filenames="$(printf %s "$rpm_perms_filenames" |sort -u -k2)" rpm_requires="$(printf %s "$rpm_requires" |sed 's/ *$//' |sort -u)" rpm_provides="$(printf %s "$rpm_provides" |sed 's/ *$//' |sort -u)" [ -z "$rpm_obsoletes" ] || rpm_obsoletes="$(printf %s "$rpm_obsoletes" |sed 's/ *$//' |sort -u)" [ -z "$rpm_conflicts" ] || rpm_conflicts="$(printf %s "$rpm_conflicts" |sed 's/ *$//' |sort -u)" run_checks "$f" || rc=1 done return $rc } check_dirs() { local rc=0 # quick arg check. local d for d; do [ -d "$d" ] || { FileError "$d: not a directory"; rc=1; continue; } done [ $rc = 0 ] || return $rc for d; do [ -d "$d" ] || { FileError "$d: not a directory"; rc=1; continue; } local filelist f if [ -n "$recurse_subdir" ]; then filelist="$(find "$d" -mindepth 1 -not -type d)" || { rc=1; continue; } else filelist="$(find "$d" -mindepth 1 -maxdepth 1)" || { rc=1; continue; } fi [ -n "$filelist" ] || continue check_files $filelist || rc=1 done return $rc } get_check_list() { find "$sisyphus_check_d" \ -regextype posix-egrep \ -mindepth 1 \ -maxdepth 1 \ -type f \ -regex '.*/[0-9]+-check-[[:alpha:]]+' \ -printf '%f\n' } expand_check_list() { local list="$1"; shift if [ -z "${list#[Aa][Ll][Ll]}" ]; then printf %s "$check_env" |sed 's/^check-//' else printf %s "$list" |tr , ' ' fi } show_usage() { [ -z "$*" ] || Info "$*" echo "Try \`$PROG --help' for more information." >&2 exit 1 } show_help() { cat <... Valid options are: --quiet try to be more quiet; --verbose print a message for each action; --fast-check stop checking after first error; --files treat as a packages; --directories treat as a directory. Packages in this directory will be checked. This is default behavior; --recursive search packages recursively; --show-bad-files print bad packages; --trust-gpg-names=LIST change the list of trusted gpg names; --[no-]check=LIST change the list of checks; EOF printf %s\\n "$check_env" |sed -n 's/.*/ --[no-]&/pg' exit } check_list="$(get_check_list)" check_env="$(printf %s\\n "$check_list" |sed 's/^[0-9]\+-//' |sort -u)" getopt_check="$(printf %s "$check_env" |tr -s '[:space:]' ',')" getopt_no_check="$(printf %s "$check_env" |sed 's/.*/no-&/' |tr -s '[:space:]' ',')" TEMP=`getopt -n $PROG -o h,q,v -l help,quiet,verbose,fast-check,files,directories,show-bad-files,recursive,trust-gpg-names:,check:,no-check:,check-,no-check-,$getopt_check,$getopt_no_check -- "$@"` || show_usage eval set -- "$TEMP" while :; do case "$1" in --check|--no-check) mode="$1" shift check_value= [ -n "${mode##--no-check*}" ] || check_value=1 if [ -n "$(printf %s "$1" |tr -d '[:alpha:],[:space:]')" ]; then Info "$mode: invalid argument: $1" show_usage fi for arg in `expand_check_list "$1"`; do if ! printf '%s' "$check_env" |grep -qs "^check-$arg\$"; then Info "$mode: invalid argument: $arg" show_usage fi eval no_check_$arg=$check_value done ;; --check-|--no-check-) show_usage ;; --check-[a-z]*) arg="no_check_${1##--check-}" eval $arg= ;; --no-check-[a-z]*) arg="no_check_${1##--no-check-}" eval $arg=1 ;; -q|--quiet) quiet=-q ;; -v|--verbose) quiet= ;; --fast-check) fast_check=1 ;; --files) files=1 ;; --directories) files= ;; --show-bad-files) show_bad_files=1 ;; --recursive) recurse_subdir=1 ;; --trust-gpg-names) shift trust_gpg_names="$(printf %s "$1" |tr -s :, ' ')" ;; -h|--help) show_help ;; --) shift; break ;; *) Fatal "unrecognized option: $1" ;; esac shift done # At least one argument, please. if ! [ "$#" -ge 1 ]; then Info 'Insufficient arguments.' show_usage fi if [ -n "$files" ]; then check_files "$@" else check_dirs "$@" fi sisyphus_check-0.8.39/sisyphus_check.d/000075500000000000000000000000001215307214500201035ustar00rootroot00000000000000sisyphus_check-0.8.39/sisyphus_check.d/000-check-changelog000064400000000000000000000033051215307214500233260ustar00rootroot00000000000000#!/bin/sh -efu current_time="${current_time:-$(date +%s)}" packager_pattern="${packager_pattern?}" rpm_changelogtime="${rpm_changelogtime?RPM changelog time required}" rpm_changelogtext="${rpm_changelogtext?RPM changelog text required}" rpm_changelogname="${rpm_changelogname?RPM changelog name required}" rpm_serial="${rpm_serial?RPM serial required}" rpm_version="${rpm_version?RPM version required}" rpm_release="${rpm_release?RPM release required}" # check changelog format check_changelog() { local f="$1" && shift || return 1 local rc=0 if ! [ "$((current_time+86400))" -ge "$rpm_changelogtime" ] 2>/dev/null; then FileError "CHANGELOGTIME in the future: $(date -d "1970-01-01 UTC $rpm_changelogtime seconds")" "$f" rc=1 fi if ! printf %s "$rpm_changelogtext" |sed 's/[^[:alnum:]]//g' |grep -qsv '^$'; then FileError "invalid CHANGELOGTEXT: $(oneliner "$rpm_changelogtext")" "$f" rc=1 fi if ! printf %s "$rpm_changelogname" |egrep -qs "$packager_pattern"; then FileError "wrong packager in CHANGELOGNAME: $rpm_changelogname" "$f" rc=1 fi # Do not check changelog name for binary rpms. if [ "$package_type" = src ]; then local c_found if ! c_found=`printf %s "$rpm_changelogname" |sed -n '/^(none)$/q;s/[^<]\+<[^>]\+> *\(.\+\)$/\1/pg'`; then FileError 'sed failed' "$f" rc=1 fi local c_expected [ -z "$rpm_serial" ] && c_expected= || c_expected="$rpm_serial:" c_expected="$c_expected$rpm_version-$rpm_release" if [ "$c_expected" != "$c_found" ]; then FileError "wrong CHANGELOGNAME: expected \"$c_expected\", found \"$c_found\"" "$f" rc=1 fi fi return $rc } run_check() { if ! check_changelog "$1"; then CheckError 'changelog format violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/010-check-gpg000064400000000000000000000044071215307214500221610ustar00rootroot00000000000000#!/bin/sh -efu trust_gpg_names="${trust_gpg_names:-security incominger}" no_gpgname_packagers="${no_gpgname_packagers-}" rpm_siggpg="${rpm_siggpg?RPM siggpg required}" rpm_packager="${rpm_packager?RPM packager required}" rpm_changelogname="${rpm_changelogname?RPM changelog name required}" rpm_signature= check_gpg() { local f="$1" && shift || return 1 local bads= if [ -z "$rpm_siggpg" ]; then FileError 'signature not found' "$f" return 1 fi if ! rpm_signature="$(LC_ALL=C GNUPGHOME=/usr/lib/alt-gpgkeys rpmsign -Kv "$f")"; then FileError 'rpmsign failed' "$f" return 1 fi if ! printf %s "$rpm_signature" 2>/dev/null |grep -qs '^MD5 sum OK: '; then bads=' md5' fi if ! printf %s "$rpm_signature" 2>/dev/null |grep -qs '^gpg: Good signature '; then bads=' gnupg' fi if [ -n "$bads" ]; then FileError "bad SIGNATURE:$bads NOT ok" "$f" return 1 fi return 0 } # check package changelogname and signature check_gpgname() { [ -z "$skip_check_gpgname" ] || return 0 if [ -n "$no_gpgname_packagers" ]; then local packager pname packager="$(printf %s "$rpm_packager" | sed -n 's/^[^<]*<\([^@]\+\(@\| at \)[^>]\+\)>.*/\1/p' | tr -s '[:space:]' ' ')" for pname in $no_gpgname_packagers; do [ "$pname" != "$packager" ] || return 0 done fi local f="$1" && shift || return 1 local chlogname sed_gpg_name gpg_name chlogname="$(printf %s "$rpm_changelogname" | sed -n 's/^.*<\([^@]\+\)\(@\| at \).*$/\1/p' | tr '[:upper:]' '[:lower:]')" sed_gpg_name='s/^.*[[:space:]]\(from\|aka\)[^<]\+<\([^@>]\+\)@altlinux\.\(ru\|com\|net\|org\)>.*$/\2/p' for sign in $(printf %s "$rpm_signature" |sed -n "$sed_gpg_name" |tr '[:upper:]' '[:lower:]' |sort -u); do for gpg_name in $trust_gpg_names; do [ "$sign" != "$gpg_name" ] || return 0 done [ "$sign" != "$chlogname" ] || return 0 done chlogname="$(printf %s "$rpm_changelogname" | sed -n 's/^[^<]*<\([^@]\+\(@\| at \)[^>]\+\)>.*/\1/p' | tr -s '[:space:]' ' ')" FileError "changelog name $chlogname not found in signature" "$f" return 1 } run_check() { local rc=0 skip_check_gpgname= if ! check_gpg "$1"; then CheckError 'package signatures violation' skip_check_gpgname=1 rc=1 fi if ! check_gpgname "$1"; then CheckError 'signature/changelog mismatch' rc=1 fi return $rc } sisyphus_check-0.8.39/sisyphus_check.d/020-check-buildhost000064400000000000000000000010731215307214500233760ustar00rootroot00000000000000#!/bin/sh -efu package_type="${package_type?}" rpm_buildhost="${rpm_buildhost?RPM buildhost required}" # check for valid buildhost check_buildhost() { local f="$1" && shift || return 1 # Do not check build host for source rpms. [ "$package_type" != src ] || return 0 if ! printf %s "$rpm_buildhost" |egrep -qs '^[^.]+\.(hasher|sandman)\.altlinux\.org$'; then FileError "unacceptable BUILDHOST: $rpm_buildhost" "$f" return 1 fi return 0 } run_check() { if ! check_buildhost "$1"; then CheckError 'unacceptable non-hasher buildhost name' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/030-check-buildtime000064400000000000000000000007461215307214500233660ustar00rootroot00000000000000#!/bin/sh -efu current_time="${current_time:-$(date +%s)}" rpm_buildtime=${rpm_buildtime?RPM buildtime required} # check for valid buildtime check_buildtime() { local f="$1" && shift || return 1 if ! [ "$current_time" -ge "$rpm_buildtime" ] 2>/dev/null; then FileError "BUILDTIME in the future: $(date -d "1970-01-01 UTC $rpm_buildtime seconds")" "$f" return 1 fi return 0 } run_check() { if ! check_buildtime "$1"; then CheckError 'buildtime violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/040-check-packager000064400000000000000000000007061215307214500231620ustar00rootroot00000000000000#!/bin/sh -efu packager_pattern="${packager_pattern?}" rpm_packager="${rpm_packager?RPM packager required}" # check for valid format of PACKAGER tag check_packager() { local f="$1" && shift || return 1 if ! printf %s "$rpm_packager" |egrep -qs "$packager_pattern"; then FileError "wrong PACKAGER: $rpm_packager" "$f" return 1 fi return 0 } run_check() { if ! check_packager "$1"; then CheckError 'packager name violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/050-check-printable000064400000000000000000000021731215307214500233660ustar00rootroot00000000000000#!/bin/sh -efu rpm_name="${rpm_name?RPM name required}" rpm_version="${rpm_version?RPM version required}" rpm_release="${rpm_release?RPM release required}" rpm_group="${rpm_group?RPM group required}" rpm_packager="${rpm_packager?RPM packager required}" rpm_license="${rpm_license?RPM license required}" rpm_summary="${rpm_summary?RPM summary required}" rpm_description="${rpm_description?RPM description required}" rpm_changelogname="${rpm_changelogname?RPM changelog name required}" rpm_changelogtext="${rpm_changelogtext?RPM changelog text required}" # check for printable summary, description, etc. check_printable() { local f="$1" && shift || return 1 local text text="$rpm_name $rpm_version $rpm_release $rpm_group $rpm_packager $rpm_license $rpm_summary $rpm_description $rpm_changelogname $rpm_changelogtext" if [ -n "$(printf %s "$text" |LC_ALL=C tr -d '[:print:][:space:]')" ]; then FileError "unprintable package information: $(printf %s "$text" |LC_ALL=C tr -d '[:print:][:space:]')" "$f" return 1 fi return 0 } run_check() { if ! check_printable "$1"; then CheckError 'package information violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/060-check-summary000064400000000000000000000006171215307214500231050ustar00rootroot00000000000000#!/bin/sh -efu rpm_summary="${rpm_summary?RPM summary required}" # check for valid summary check_summary() { local f="$1" && shift || return 1 if ! printf %s "$rpm_summary" 2>/dev/null |egrep -qs '[[:alpha:]]'; then FileError "invalid SUMMARY: $rpm_summary" "$f" return 1 fi return 0 } run_check() { if ! check_summary "$1"; then CheckError 'invalid package summary' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/070-check-description000064400000000000000000000007051215307214500237320ustar00rootroot00000000000000#!/bin/sh -efu rpm_description="${rpm_description?RPM description required}" # check for valid description check_description() { local f="$1" && shift || return 1 if ! printf %s "$rpm_description" 2>/dev/null |egrep -qs '[[:alpha:]]'; then FileError "invalid DESCRIPTION: $(oneliner "$rpm_description")" "$f" return 1 fi return 0 } run_check() { if ! check_description "$1"; then CheckError 'invalid package description' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/080-check-group000064400000000000000000000005521215307214500225440ustar00rootroot00000000000000#!/bin/sh -efu rpm_group="${rpm_group?RPM group required}" # check for valid group check_group() { local f="$1" && shift || return 1 if ! fgrep -xq "$rpm_group" /usr/lib/rpm/GROUPS; then FileError "wrong GROUP: $rpm_group" "$f" return 1 fi return 0 } run_check() { if ! check_group "$1"; then CheckError 'package group violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/090-check-nvr000064400000000000000000000022421215307214500222140ustar00rootroot00000000000000#!/bin/sh -efu rpm_arch="${rpm_arch?RPM arch required}" rpm_name="${rpm_name?RPM name required}" rpm_version="${rpm_version?RPM version required}" rpm_release="${rpm_release?RPM release required}" # check for valid nvr check_nvr() { local f="$1" && shift || return 1 local rc=0 if ! printf %s "$rpm_name" |grep -Exqs '[A-Za-z0-9][A-Za-z0-9._+-]*[A-Za-z0-9+]'; then FileError "invalid package NAME: $rpm_name" "$f" rc=1 fi if printf %s "$rpm_version" |grep -qs '[%<=>]'; then FileError "invalid package VERSION: $rpm_version" "$f" rc=1 fi if printf %s "$rpm_release" |grep -qs '[%<=>]'; then FileError "invalid package RELEASE: $rpm_release" "$f" rc=1 fi if ! printf %s "$rpm_release" |grep -Eqs '^alt([1-9]|0.)'; then FileError "invalid package RELEASE: $rpm_release" "$f" rc=1 fi local arch="$rpm_arch" [ "$package_type" != src ] || arch="src" local expected="$rpm_name-$rpm_version-$rpm_release.$arch.rpm" if [ "$expected" != "${f##*/}" ]; then FileError "invalid FILENAME: $expected expected" "$f" rc=1 fi return $rc } run_check() { if ! check_nvr "$1"; then CheckError 'package name-version-release format violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/100-check-deps000064400000000000000000000037101215307214500223330ustar00rootroot00000000000000#!/bin/sh -efu bad_deps='/etc/init\.d\(.*\) /etc/rc\.d/init\.d\((daemon|killproc|pidof)\) /lib64/udev /lib64/udev/rules\.d /sbin/post_ldconfig /sbin/postun_ldconfig /usr/sbin/install_info /usr/sbin/uninstall_info XFree86-.* fileutils initscripts libmesa-devel pam_stack\.so sh-utils textutils xorg-devel xorg-x11-devel .*\(GLIBC_PRIVATE\).*' bad_prereqs='/sbin/install-info /sbin/ldconfig' # check for unacceptable dependencies check_deps() { local f="$1" && shift || return 1 local rc=0 local bad local rpm_deps rpm_deps=$(printf '%s\n%s\n%s\n%s\n' "$rpm_requires" "$rpm_provides" "$rpm_obsoletes" "$rpm_conflicts") if bad=$(printf %s "$rpm_deps" |grep '[$%]'); then FileError "invalid dependencies: $(oneliner "$bad")" "$f" rc=1 fi if bad=$(printf %s "$rpm_requires" |cut -d' ' -f1 |egrep -x "$bad_deps"); then FileError "forbidden requires: $(oneliner "$bad")" "$f" rc=1 fi # 2^6: RPMSENSE_PREREQ # 2^8: RPMSENSE_INTERP # 2^9: RPMSENSE_SCRIPT_PRE # 2^10: RPMSENSE_SCRIPT_POST # 2^11: RPMSENSE_SCRIPT_PREUN # 2^12: RPMSENSE_SCRIPT_POSTUN # 2^13: RPMSENSE_SCRIPT_VERIFY # 2^16: RPMSENSE_TRIGGERIN # 2^17: RPMSENSE_TRIGGERUN # 2^18: RPMSENSE_TRIGGERPOSTUN # 2^6+2^8+2^9+2^10+2^11+2^12+2^13+2^16+2^17+2^18 = 474944 bad=$(printf %s "$rpm_requires" | awk 'and($2,474944)>0 {print $1}' | egrep -x "$bad_prereqs" | sort -u) if [ -n "$bad" ]; then FileError "forbidden prerequires: $(oneliner "$bad")" "$f" rc=1 fi # allow kernel deps in kernel-* packages if [ -z "${rpm_name##kernel-*}" ]; then return $rc fi # allow kernel deps in packages built from kernel-image-* if [ -n "$rpm_sourcerpm" -a -z "${rpm_sourcerpm##kernel-image-*}" ]; then return $rc fi if bad=$(printf %s "$rpm_deps" |cut -d' ' -f1 |egrep '^kernel-(image|modules)'); then FileError "forbidden dependencies: $(oneliner "$bad")" "$f" rc=1 fi return $rc } run_check() { if ! check_deps "$1"; then CheckError 'package dependencies violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/110-check-content000064400000000000000000000017201215307214500230520ustar00rootroot00000000000000#!/bin/sh -efu rpm_name="${rpm_name?RPM name required}" rpm_filenames="${rpm_filenames?RPM file list required}" # check files intersections with known packages check_content() { local f="$1" && shift || return 1 local rc=0 local bad if [ "$rpm_name" != rpm ] && bad="$(printf %s "$rpm_filenames" |egrep '^/etc/rpm(/macros\.d)$')"; then FileError "intersections with rpm: $(oneliner "$bad")" "$f" rc=1 fi if [ "$rpm_name" != control ] && bad="$(printf %s "$rpm_filenames" |egrep '^/etc/control\.d(/facilities)?$')"; then FileError "intersections with control: $(oneliner "$bad")" "$f" rc=1 fi # Do not check glibc-locales package. if [ "$rpm_name" != glibc-locales ] && bad="$(printf %s "$rpm_filenames" |grep '^/usr/share/locale\(/[^/]\+\)\?$')"; then FileError "intersections with glibc-locales: $(oneliner "$bad")" "$f" rc=1 fi return $rc } run_check() { if ! check_content "$1"; then CheckError 'package content violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/120-check-libtool000064400000000000000000000007701215307214500230510ustar00rootroot00000000000000#!/bin/sh -efu rpm_filenames="${rpm_filenames?RPM file list required}" # check for forbidden libtool files check_libtool() { local f="$1" && shift || return 1 local rc=0 local bad if bad="$(printf %s "$rpm_filenames" |egrep '^(/usr)?/lib(64)?/lib[^/]+\.la$')"; then FileError "forbidden libtool files: $(oneliner "$bad")" "$f" rc=1 fi return $rc } run_check() { return 0 # Check disabled for a while if ! check_libtool "$1"; then CheckError 'libtool files violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/130-check-fhs000064400000000000000000000033321215307214500221630ustar00rootroot00000000000000#!/bin/sh -efu fhs_config='/etc/sisyphus_check/fhs' rpm_name="${rpm_name?RPM name required}" rpm_filenames="${rpm_filenames?RPM file list required}" fhs_exceptions() { grep '^[^#].*[[:space:]].*/' "$fhs_config" | while read -r pkgname_pattern filename_re; do case "$rpm_name" in $pkgname_pattern) ;; *) continue ;; esac printf '%s\n' "$filename_re" done } # check for FHS violations check_fhs() { local f="$1" && shift || return 1 # Do not check filesystem package. [ "$rpm_name" != filesystem ] || return 0 local rc=0 local fhs_re='^/(bin|boot|etc|lib(64)?|sbin|usr/(bin|etc|games|include|lib(exec|64)?|sbin|share|src)|var/(cache|games|lib|lock|log|run|spool|www|yp))/.*' local filenames bad_filenames except_re # Check packaged files. # NB: extra grep to exclude source packages. if [ -n "$rpm_filenames" ] && filenames=$(printf '%s\n' "$rpm_filenames" |grep '^/') && bad_filenames=$(printf '%s\n' "$filenames" |egrep -v -e "$fhs_re"); then except_re=$(fhs_exceptions) if [ -z "$except_re" ] || bad_filenames=$(printf '%s\n' "$bad_filenames" |egrep -v -e "$except_re"); then FileError "FHS violations: $(oneliner "$bad_filenames")" "$f" rc=1 fi fi # Check provided paths. if [ -n "$rpm_provides" ] && filenames=$(printf '%s\n' "$rpm_provides" |grep -o '^/[^[:space:]]*') && bad_filenames=$(printf '%s\n' "$filenames" |egrep -v -e "$fhs_re"); then except_re=$(fhs_exceptions) if [ -z "$except_re" ] || bad_filenames=$(printf '%s\n' "$bad_filenames" |egrep -v -e "$except_re"); then FileError "FHS violations: provides $(oneliner "$bad_filenames")" "$f" rc=1 fi fi return $rc } run_check() { if ! check_fhs "$1"; then CheckError 'FHS violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/140-check-perms000064400000000000000000000024051215307214500225320ustar00rootroot00000000000000#!/bin/sh -efu package_type="${package_type?}" # check files permissions check_perms() { local f="$1" && shift || return 1 local rc=0 if printf %s "$rpm_perms_filenames" |egrep '^-..s(r|.w|...r|....w)|^-...((r.|.w)s|..s(r|.w))' >&2; then FileError 'unsafe suid/sgid file permissions (readable or writable)' "$f" rc=1 fi if printf %s "$rpm_perms_filenames" |egrep '^[^l].(w|..r|...w|.....r|......w)[^/]+/etc/sudo\.d/' >&2; then FileError 'unsafe /etc/sudo.d/ file permissions (should be 0400)' "$f" rc=1 fi if printf %s "$rpm_perms_filenames" |egrep '^[^l]....(w|...w)[^/]+/usr/' >&2; then FileError 'writable files in /usr/' "$f" rc=1 fi if printf %s "$rpm_perms_filenames" |grep '^d......rwx' >&2; then FileError 'world writable directories' "$f" rc=1 fi if printf %s "$rpm_perms_filenames" |egrep '^d((r.|.w)[^sx]|...(r.|.w)[^sx]|......(r.|.w)[^tx])' >&2; then FileError 'accessible directories must have appropriate executable bits set' "$f" rc=1 fi if [ "$package_type" = src ]; then if printf %s "$rpm_perms_filenames" |egrep '^-([^r]|.[^w])' >&2; then FileError 'bad permissions in source archive' "$f" rc=1 fi fi return $rc } run_check() { if ! check_perms "$1"; then CheckError 'file permissions violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/150-check-intersects000064400000000000000000000012561215307214500235730ustar00rootroot00000000000000#!/bin/sh -efu rpm_name="${rpm_name?RPM name required}" rpm_filenames="${rpm_filenames?RPM file list required}" # check files intersections with filesystem check_intersects() { local f="$1" && shift || return 1 # Do not check filesystem package. [ "$rpm_name" != filesystem ] || return 0 local rc=0 local text if ! text="$(printf %s\\n "$rpm_filenames" |LC_COLLATE=C comm -12 -- "$fs_list" -)"; then FileError 'comm failed' "$f" rc=1 fi if [ -n "$text" ]; then FileError "filesystem intersections: $(oneliner "$text")" "$f" rc=1 fi return $rc } run_check() { if ! check_intersects "$1"; then CheckError 'intersections with system packages' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/170-check-subdirs000064400000000000000000000034601215307214500230640ustar00rootroot00000000000000#!/bin/sh -efu # # Check that directory packaging is hierarchically consistent. # # E.g. consider this %files section: # %dir /A # /A/B/C/D # Now we require that directories "/A/B" and "/A/B/C" are also packaged. # # Copyright (C) 2008 Alexey Tourbin # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. find_unpackaged_subdirs() { [ -n "${rpm_filenames?}" ] || return 0 printf '%s\n' "$rpm_filenames" |awk ' /^\// { OWN[$0] = 1 } function check_path(path) { # "/A/B/C/D" -> ["","A","B","C","D"] n = split(path, comp, "/") # find shortest prefix which is owned by this path, # i.e. either "/A" or "/A/B" (or none - no need to check "/A/B/C") prefix = "" found = 0 for (i = 2; i < n-1; i++) { prefix = prefix "/" comp[i] if (prefix in OWN) { found = 1 break } } if (!found) return # check if every subdir under the prefix is also owned subdir = prefix for (j = i+1; j < n; j++) { subdir = subdir "/" comp[j] if (!(subdir in OWN)) printf "%s\t%s\t%s\n", prefix, subdir, path } } END { for (path in OWN) check_path(path) }' } check_subdirs() { local f="$1"; shift || return local subdirs="$(find_unpackaged_subdirs)" [ -n "$subdirs" ] || return 0 local tab="$(printf '\t')" subdirs=$(printf '%s\n' "$subdirs" |sort -t "$tab" -u -k2,2) local prefix subdir path printf '%s\n' "$subdirs" | while IFS="$tab" read -r prefix subdir path; do FileError "unpackaged directory: $subdir" "$f" done return 1 } run_check() { if ! check_subdirs "$1"; then CheckError 'subdirectories packaging violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/180-check-pkgconfig000064400000000000000000000011341215307214500233550ustar00rootroot00000000000000#!/bin/sh -efu check_pkgconfig() { local f="$1"; shift || return local bad_dirs case ${rpm_arch:?} in noarch) bad_dirs='^/usr/(lib|lib64)/pkgconfig/' ;; i?86|pentium*|athlon*) bad_dirs='^/usr/lib64/pkgconfig/' ;; x86_64|amd64) bad_dirs='^/usr/lib/pkgconfig/' ;; *) return ;; esac local bad_files if bad_files=$(printf '%s\n' "$rpm_filenames" |egrep "$bad_dirs"); then FileError "invalid $rpm_arch pkg-config path: $(oneliner "$bad_files")" "$f" return 1 fi } run_check() { if ! check_pkgconfig "$1"; then CheckError 'pkg-config pathnames violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/190-check-dirlist000064400000000000000000000025471215307214500230720ustar00rootroot00000000000000#!/bin/sh -efu # # Check directory ownership with respect to # /usr/lib/rpm/*-files.req.list dirlists. # # Copyright (C) 2008 Alexey Tourbin # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. dirlist=$(set +f; grep -h ^/. /usr/lib/rpm/*-files.req.list 2>/dev/null |sort -ur) dirs=$(printf '%s\n' "$dirlist" | while read -r d pkg; do echo "${d%/}"; done) find_captured_dirs() { [ -n "$dirlist" ] || return 0 local mydirs="$(printf '%s\n' "$rpm_filenames" |fgrep -x "$dirs")" [ -n "$mydirs" ] || return 0 printf '%s\n' "$mydirs" | while read -r mydir; do printf '%s\n' "$dirlist" | while read -r dir pkg; do [ "$mydir" = "$dir" ] || continue [ -n "$pkg" ] || continue printf '%s\n' "$rpm_provides" |cut -d' ' -f1 | fgrep -qs -x -e "$pkg" && continue printf '%s\t%s\n' "$dir" "$pkg" done done } check_dirlist() { local f="$1"; shift || return local dirs="$(find_captured_dirs)" [ -n "$dirs" ] || return 0 printf '%s\n' "$dirs" | while read -r dir pkg; do FileError "directory $dir belongs to $pkg" "$f" done return 1 } run_check() { if ! check_dirlist "$1"; then CheckError 'directory ownership violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/200-check-noarch000064400000000000000000000012711215307214500226530ustar00rootroot00000000000000#!/bin/sh -efu check_noarch() { local f="$1"; shift || return local rc=0 case ${rpm_arch:?} in noarch) ;; *) return ;; esac local bad_deps if bad_deps=$(printf '%s\n%s\n' "$rpm_requires" "$rpm_provides" |cut -d' ' -f1 | egrep '^lib[^(/)]+[.].so\>|[.]so\>[^/]*[(]|^/lib64/|^/usr/lib64/' ); then FileError "invalid noarch dependencies: $(oneliner "$bad_deps")" "$f" rc=1 fi local bad_files if bad_files=$(printf '%s\n' "$rpm_filenames" |egrep '^/lib64/|^/usr/lib64/'); then FileError "invalid noarch file paths: $(oneliner "$bad_files")" "$f" rc=1 fi return $rc } run_check() { if ! check_noarch "$1"; then CheckError 'noarch packaging violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/210-check-kernel000064400000000000000000000072371215307214500226720ustar00rootroot00000000000000#!/bin/sh -efu rpm_name="${rpm_name?RPM name required}" rpm_release="${rpm_release?RPM release required}" rpm_group="${rpm_group?RPM group required}" rpm_requires="${rpm_requires?}" package_type="${package_type?}" kernel_version_code() { local release="$1" && shift local kver version patchlevel sublevel kver="$(printf %s "$release" | cut -d- -f1)" version="$(printf %s "$kver" | cut -d. -f1)" patchlevel="$(printf %s "$kver" | cut -d. -f2)" sublevel="$(printf %s "$kver" | cut -d. -f3)" suffix="$(printf %s "$kver" | cut -d. -f4)" [ -z "$suffix" ] || suffix=".e$suffix" printf '%s' "$(($version * 65536 + $patchlevel * 256 + $sublevel))$suffix" } check_builtin_kmodule() { if [ "$rpm_version" != "$kernel_version" -a "${rpm_version#*_}" != "$kernel_version" ]; then FileError "kernel module VERSION ($rpm_version) should contain kernel image version ($kernel_version)" "$f" return 1 fi if [ "$rpm_release" != "alt$kernel_release" ]; then FileError "kernel module RELEASE ($rpm_release) and kernel image release (alt$kernel_release) should be identical" "$f" return 1 fi } check_standalone_kmodule() { if [ "$rpm_release" = "${rpm_release%.$kernel_code.$kernel_release}" ]; then FileError "kernel module RELEASE ($rpm_release) should end with appropriate suffix (.$kernel_code.$kernel_release) to match kernel image version and release specified by requirements on kernel image" "$f" return 1 fi } kernel_pattern= check_kmodule() { local f="$1" && shift || return 1 if [ "$rpm_arch" = 'noarch' ]; then FileError "architecture should not be 'noarch'" "$f" return 1 fi local kernel_require kernel_flavour kernel_version kernel_release kernel_code kernel_require="$(printf %s "$rpm_requires" |cut -d' ' -f1,3- |grep "^$kernel_pattern" |sort -u)" if [ -z "$kernel_require" ]; then FileError "kernel module should require kernel image" "$f" return 1 fi if [ -z "${kernel_require##* *}" ]; then FileError "kernel module should require only one kernel image" "$f" return 1 fi if [ -n "${kernel_require##* = *}" ]; then FileError "kernel module requirement should specify a kernel version" "$f" return 1 fi kernel_flavour="${kernel_require#$kernel_pattern}" kernel_flavour="${kernel_flavour%% *}" kernel_version="${kernel_require##* = }" kernel_version="${kernel_version#*:}" kernel_version="${kernel_version%%-alt*}" kernel_code="$(kernel_version_code "$kernel_version")" kernel_release="${kernel_require##*-alt}" if [ "$rpm_name" = "${rpm_name%-$kernel_flavour}" ]; then FileError "kernel module flavour mismatch, expected flavour is '$kernel_flavour'" "$f" return 1 fi if [ "$rpm_sourcerpm" != "$kernel_pattern$kernel_flavour-$kernel_version-alt$kernel_release.src.rpm" ]; then check_standalone_kmodule || return 1 else check_builtin_kmodule || return 1 fi } check_kernel_group() { local f="$1" && shift || return 1 local group case "$rpm_name" in kernel-headers-*|kernel-source-*) group='Development/Kernel' ;; kernel-image-*|kernel-modules-*) group='System/Kernel and hardware' ;; *) return 0 ;; esac if [ "$rpm_group" != "$group" ]; then FileError "package GROUP should be '$group'" "$f" return 1 fi } run_check() { local rc=0 [ -z "${rpm_name##kernel-*}" ] && [ -n "${rpm_name##kernel-*-debuginfo}" ] || return $rc check_kernel_group "$1" || rc=1 if [ -n "${rpm_name##kernel-modules-*}" ]; then [ "$rc" = 0 ] || CheckError 'kernel package violation' return $rc fi case "$package_type" in bin) kernel_pattern='kernel-image-' ;; src) kernel_pattern='kernel-headers-modules-' ;; esac check_kmodule "$1" || rc=1 [ "$rc" = 0 ] || CheckError 'kernel module violation' return $rc } sisyphus_check-0.8.39/sisyphus_check.d/211-check-firmware000064400000000000000000000025341215307214500232220ustar00rootroot00000000000000#!/bin/sh -efu rpm_arch="${rpm_arch?RPM arch required}" rpm_name="${rpm_name?RPM name required}" rpm_filenames="${rpm_filenames?RPM file list required}" check_firmware() { # Check firmware for binary rpms only. [ "$package_type" = bin ] || return 0 local f="$1" && shift || return 1 local rc=0 firmware_name firmware_files case "$rpm_name" in udev|kernel-image-*) # these packages are allowed (but not required) to package # objects inside /lib/firmware/ return 0 ;; firmware-tools|firmware-tools-*) # these packages are not allowed to package objects # inside /lib/firmware/ firmware_name=0 ;; firmware-*) # these packages are required to package objects # inside /lib/firmware/ firmware_name=1 ;; *) # these packages are not allowed to package objects # inside /lib/firmware/ firmware_name=0 ;; esac if printf %s "$rpm_filenames" 2>/dev/null |grep -qs '^/lib/firmware/'; then firmware_files=1 else firmware_files=0 fi case "$firmware_name,$firmware_files" in 0,1) FileError "package NAME should start with the 'firmware-': $rpm_name" "$f" rc=1 ;; 1,0) FileError "firmware files should be placed in /lib/firmware/" "$f" rc=1 ;; 0,0) return 0 ;; esac return $rc } run_check() { if ! check_firmware "$1"; then CheckError 'firmware packaging violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/220-check-python000064400000000000000000000054301215307214500227250ustar00rootroot00000000000000#!/bin/sh -efu : ${rpm_arch?} ${rpm_name?} ${rpm_filenames?} ${rpm_perms_filenames?} ${rpm_sourcerpm?} check_python() { # Check python for binary rpms only. [ "$package_type" = bin ] || return 0 # python base packages are exception. if printf %s "$rpm_sourcerpm" | egrep -qx 'python([2-9](\.[0-9])?)?-[^-]+-[^-]+'; then return 0 fi local f="$1" && shift || return 1 local rc=0 if printf %s "$rpm_filenames" 2>/dev/null | egrep '^/usr/lib(64)?/python[23][.][0-9]/' 2>/dev/null | egrep -vqs '^/usr/lib(64)?/python[23][.][0-9]/(lib-dynload|site-packages|tools)/'; then FileError 'python files inside %python_libdir can be placed only in %python_sitelibdir, %python_tooldir and %python_dynlibdir' "$f" rc=1 fi # All the rest is related to python modules only. printf %s "$rpm_filenames" 2>/dev/null | egrep -qs '^/usr/lib(64)?/python[23][.][0-9]/site-packages/' || return $rc if [ -n "${rpm_name##python-module-*}" ]; then if ! printf %s "$rpm_filenames" 2>/dev/null | egrep -qsv '^/usr/(lib(64)?/python2[.][0-9]/site-packages|share/doc)/'; then FileError 'package NAME should start with the "python-module-" prefix' "$f" rc=1 fi else if printf %s "$rpm_requires" 2>/dev/null | cut -d' ' -f1 | grep -Eqs '^(/usr/bin/)?python3'; then FileError 'python2 modules should not have python3 requirements' "$f" rc=1 fi fi if [ -n "${rpm_name##python3-module-*}" ]; then if ! printf %s "$rpm_filenames" 2>/dev/null | egrep -qsv '^/usr/(lib(64)?/python3[.][0-9]/site-packages|share/doc)/'; then FileError 'package NAME should start with the "python3-module-" prefix' "$f" rc=1 fi else if printf %s "$rpm_requires" 2>/dev/null | cut -d' ' -f1 | grep -Eqs '^(/usr/bin/)?python($|[^3])'; then FileError 'python3 modules should not have python2 requirements' "$f" rc=1 fi fi local bad_dirs= noarch_pattern= case "$rpm_arch" in noarch|i?86|pentium*|athlon*) bad_dirs='/usr/lib64/python[23][.][0-9]/site-packages/' ;; x86_64|amd64) noarch_pattern='^d[^ ]+ /usr/lib/python[23][.][0-9]/site-packages/|^-[^ ]+ /usr/lib/python[23][.][0-9]/site-packages/.*\.py([co])?$' bad_dirs='/usr/lib/python[23][.][0-9]/site-packages/' ;; esac local bad_files= if [ -n "$bad_dirs" ]; then bad_files="$(printf %s "$rpm_perms_filenames" | egrep "^[^ ]+ $bad_dirs" ||:)" fi if [ -n "$bad_files" -a -n "$noarch_pattern" ]; then bad_files="$(printf %s "$bad_files" | egrep -v "$noarch_pattern" ||:)" fi if [ -n "$bad_files" ]; then bad_files="$(printf %s "$bad_files" |cut -d' ' -f2-)" FileError "invalid $rpm_arch python module path: $(oneliner "$bad_files" |fmt -w 128 |head -n1)" "$f" rc=1 fi return $rc } run_check() { if ! check_python "$1"; then CheckError 'python modules packaging violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/230-check-bindir000064400000000000000000000011771215307214500226600ustar00rootroot00000000000000#!/bin/sh -efu check_bindir() { local f="$1" rc=0 local dirs_or='bin|sbin|usr/bin|usr/sbin|usr/games|usr/lib/kde4bin' if printf %s "$rpm_filenames" |egrep "^/($dirs_or)/.*/" >&2; then FileError "invalid bindir file paths" "$f" rc=1 fi if printf %s "$rpm_provides" |egrep "^/($dirs_or)/[^ ]*/" >&2; then FileError "invalid bindir provides" "$f" rc=1 fi if printf %s "$rpm_perms_filenames" |egrep "^[^l-]...(...)... /($dirs_or)/[^/]+\$" >&2; then FileError "invalid bindir file modes" "$f" rc=1 fi return $rc } run_check() { if ! check_bindir "$1"; then CheckError 'bindir packaging violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.d/240-check-browser000064400000000000000000000013521215307214500230700ustar00rootroot00000000000000#!/bin/sh -efu : ${rpm_filenames?} ${rpm_sourcerpm?} check_browser() { # Check for binary rpms only. [ "$package_type" = bin ] || return 0 local f="$1" && shift || return 1 local srpm_name bad_dirs srpm_name="${rpm_sourcerpm%-*}" srpm_name="${srpm_name%-*}" [ "$srpm_name" = 'mozilla-common' ] && bad_dirs='^/usr/lib(64)?/browser-plugins-npapi(/|$)' || bad_dirs='^/usr/lib(64)?/(browser-plugins-npapi(/|$)|mozilla$)' local bad_files if [ -n "$bad_dirs" ] && bad_files=$(printf %s "$rpm_filenames" |egrep "$bad_dirs"); then FileError "invalid browser path: $(oneliner "$bad_files")" "$f" return 1 fi return 0 } run_check() { if ! check_browser "$1"; then CheckError 'browser pathnames violation' return 1 fi } sisyphus_check-0.8.39/sisyphus_check.spec000064400000000000000000000364571215307214500205540ustar00rootroot00000000000000Name: sisyphus_check Version: 0.8.39 Release: alt1 Summary: package checker for Sisyphus License: GPLv2+ Group: Development/Other BuildArch: noarch Source: %name-%version.tar Requires: file, getopt, mktemp >= 1:1.3.1, rpm Conflicts: sisyphus < 0.7.2 %description This package contains sisyphus_check utility. %prep %setup %install install -pD -m644 fhs %buildroot%_sysconfdir/%name/fhs install -pD -m755 %name %buildroot%_bindir/%name install -pD -m644 sisyphus-check-functions \ %buildroot%_bindir/sisyphus-check-functions mkdir -p -- %buildroot%_sysconfdir/ cp -a -- sisyphus_check.d %buildroot%_sysconfdir/%name/check.d %files %config %_sysconfdir/%name %_bindir/* %changelog * Mon Jun 03 2013 Dmitry V. Levin 0.8.39-alt1 - 210-check-kernel (kernel_version_code): + changed algorithm for 4-component kernel versions support. * Fri May 31 2013 Dmitry V. Levin 0.8.38-alt1 - 100-check-deps: allowed kernel deps in packages built from kernel-image-*. - 210-check-kernel: + added support for 4-component kernel versions; + relaxed kernel module version check (by led@; closes: #28908). * Thu Jan 24 2013 Dmitry V. Levin 0.8.37-alt1 - 211-check-firmware: added exception for firmware-tools and firmware-tools-* (closes: #28284). - fhs: added exception for msp430* packages (closes: #28286). * Wed Dec 05 2012 Dmitry V. Levin 0.8.36-alt1 - 090-check-nvr: added a check for package name validity. * Wed Sep 12 2012 Dmitry V. Levin 0.8.35-alt1 - 211-check-firmware: removed "noarch" check (closes: #27709). * Fri Apr 13 2012 Dmitry V. Levin 0.8.34-alt1 - 220-check-python: implemented additional restrictions on requirements between python2 and python3 modules (closes: #27194). * Tue Apr 10 2012 Dmitry V. Levin 0.8.33-alt1 - 220-check-python: + reverted the change made in 0.8.32-alt1; + disallowed python3 requirements in python2 modules and vice versa (closes: #27194). * Thu Apr 05 2012 Dmitry V. Levin 0.8.32-alt1 - 220-check-python: ignore "i586-" arepo prefix in package names. * Wed Feb 08 2012 Vitaly Kuznetsov 0.8.31-alt1 - 220-check-python: add special python3-module-* packages handling. * Mon Jan 16 2012 Alexey Gladkov 0.8.30-alt1 - 240-check-browser: allow /usr/lib*/mozilla/* (closes: #26808). * Tue Dec 20 2011 Dmitry V. Levin 0.8.29-alt1 - 220-check-python: allow packaging of *.py* files in the arch-independent site-packages directory on x86-64 (closes: #26728). * Thu Dec 15 2011 Vitaly Kuznetsov 0.8.28-alt1 - 220-check-python: add exception for python3 source package as well. * Wed Sep 21 2011 Dmitry V. Levin 0.8.27-alt1 - 140-check-perms: added check that accessible directories have appropriate executable bits set. * Thu Sep 15 2011 Dmitry V. Levin 0.8.26-alt1 - Removed /usr/X11R6 (see ALT#11699). * Wed May 04 2011 Dmitry V. Levin 0.8.25-alt1 - 210-check-kernel (check_kmodule): strip epoch number from kernel_version. * Tue Apr 26 2011 Dmitry V. Levin 0.8.24-alt1 - fhs: changed exception for mingw64-* packages (closes: #25453). * Sun Apr 17 2011 Dmitry V. Levin 0.8.23-alt1 - fhs: added exception for mingw64-* packages (closes: #25453). * Tue Apr 05 2011 Dmitry V. Levin 0.8.22-alt1 - fhs: renamed SysVinit to sysvinit. * Mon Mar 28 2011 Dmitry V. Levin 0.8.21-alt1 - 100-check-deps (bad_deps): Removed xorg-x11-*, added xorg-x11-devel. * Wed Mar 23 2011 Alexey Tourbin 0.8.20-alt1 - 100-check-deps (bad_deps): Added xorg-x11-* xorg-devel libmesa-devel. - 210-check-kernel: Exempted kernel-*-debuginfo from this check. * Fri Sep 24 2010 Dmitry V. Levin 0.8.19-alt1 - 100-check-deps: Added /lib64/udev, /lib64/udev/rules.d and '(GLIBC_PRIVATE)' to the list of forbidden requirements. * Wed Mar 31 2010 Dmitry V. Levin 0.8.18-alt1 - 210-check-kernel: Enhanced error reporting. * Sun Mar 21 2010 Dmitry V. Levin 0.8.17-alt1 - 220-check-python: Updated source rpm name check for base python packages (closes: #23199). * Sun Nov 08 2009 Dmitry V. Levin 0.8.16-alt1 - 210-check-kernel: Fixed regression introduced by previous release. * Fri Nov 06 2009 Dmitry V. Levin 0.8.15-alt1 - 100-check-deps: + Updated list of forbidden requirements. + Added check for forbidden prerequirements. * Wed Oct 07 2009 Dmitry V. Levin 0.8.14-alt1 - 140-check-perms: + Introduced /etc/sudo.d/* permissions check (by Michael Shigorin; closes: #21864). + Improved error messages (by Michael Shigorin). - 240-check-browser: New check for invalid browser paths. * Thu Jul 23 2009 Dmitry V. Levin 0.8.13-alt1 - fhs: Added exception for mingw32-* packages (closes: #20845). - 211-check-firmware: Marked udev package as exception. * Wed Jul 15 2009 Alexey Tourbin 0.8.12-alt1 - 230-check-bindir: New check for invalid PATH files (e.g. /usr/bin/*/*). * Tue May 05 2009 Alexey Tourbin 0.8.11-alt1 - 130-check-fhs: Check provided paths as well (suggested by Dmitry V. Levin after we discovered "Provides: /usr/config.h" in opencascade.spec). * Fri Feb 20 2009 Dmitry V. Levin 0.8.10-alt1 - 220-check-python: New check for python policy compliance. * Fri Feb 13 2009 Dmitry V. Levin 0.8.9-alt1 - 211-check-firmware: Marked kernel-image-* packages as exception. * Fri Feb 13 2009 Dmitry V. Levin 0.8.8-alt1 - Merged 160-check-locales into 110-check-content (Alexey Gladkov). - 211-check-firmware: New check for firmware policy compliance (Alexey Gladkov), see http://www.altlinux.org/FirmwarePolicy for details. * Thu Feb 12 2009 Dmitry V. Levin 0.8.7-alt1 - sisyphus-check-functions (init_check): Updated packager_pattern to allow more spaces and disallow null elements. - 190-check-dirlist: Fixed typo in error message (Slava Semushin; closes: #17001). * Wed Oct 01 2008 Dmitry V. Levin 0.8.6-alt1 - 210-check-kernel: Special exception for kernel modules built within a kernel image (Alexey Gladkov). * Fri Sep 26 2008 Dmitry V. Levin 0.8.5-alt1 - 210-check-kernel: New check for kernel policy compliance (Alexey Gladkov). - 010-check-gpg, 060-check-summary, 070-check-description: Hide SIGPIPE (Alexey Gladkov). - 100-check-deps: Userspace packages should not depend from kernelspace (Alexey Gladkov). * Tue Sep 16 2008 Alexey Tourbin 0.8.4-alt1 - check-noarch: New check for soname dependencies and lib64 paths in noarch packages. * Fri Aug 29 2008 Dmitry V. Levin 0.8.3-alt1 - sisyphus_check: Added -[-no]-check=ALL special value (Alexey Gladkov; closes: #16662). * Sat Aug 09 2008 Alexey Tourbin 0.8.2-alt1 - check-dirlist: Prune stderr when *-files.req.list are missing (#16631). * Tue Jun 24 2008 Alexey Tourbin 0.8.1-alt1 - check-dirlist: New check for directory ownership with respect to /usr/lib/rpm/*-files.req.list files. * Sun May 11 2008 Dmitry V. Levin 0.8.0-alt1 - Factored out tests to %_sysconfdir/%name/check.d directory (legion). - Added options descriptions (legion). - check-deps: Added more forbidden patterns (at). - check-subdirs: New check for unpackaged subdirectories (at). - check-pkgconfig: New check for invalid pkg-config pathnames (at). - Optimized rpmquery invocations (at). - Enhanced error summaries. - Fixed signal handler. * Thu Mar 20 2008 Dmitry V. Levin 0.7.22-alt1 - fhs: Added dev-minimal (mike, #14889). * Fri Feb 08 2008 Dmitry V. Levin 0.7.21-alt1 - check_nvr: Disallowed ipl* and alt0 release numbers. - check_perms: Added check for world writable directories. - Disabled gpg check exception for kernel@packages.altlinux. * Tue Sep 18 2007 Dmitry V. Levin 0.7.20-alt1 - fhs: Added webserver-common (#11784). * Sat Aug 25 2007 Sergey Bolshakov 0.7.19-alt1 - fhs: /var/avahi, /var/resolv/var/avahi * Mon Jan 22 2007 Dmitry V. Levin 0.7.18-alt1 - check_files: Check file type manually, do not rely on file(1) utility. Perform quick sanity check prior to other checks. * Mon Apr 10 2006 Dmitry V. Levin 0.7.17-alt1 - check_fhs: Added /var/games (FHS-2.3, 5.7.1). * Thu Dec 22 2005 Dmitry V. Levin 0.7.16-alt1 - check_printable: Added check for changelogs (#7626). - Moved libtool la-files check to separate check_libtool() function and disabled new "libtool" check by default. - Split Usage() into show_help() and show_usage(). - Introduced --check* options. * Sun Oct 02 2005 Dmitry V. Levin 0.7.15-alt1 - check_locales: Fix bugs introduced in previous release. * Wed Sep 28 2005 Dmitry V. Levin 0.7.14-alt1 - check_locales: New check (legion). * Mon May 16 2005 Dmitry V. Levin 0.7.13-alt1 - fhs: added arm-palmos-* and prc-tools-common (raorn). * Thu May 12 2005 Dmitry V. Levin 0.7.12-alt1 - check_nvr: Add check for filename. - check_content: Adjust .la-files check for 64bit platforms. - New options: --files: Consider arguments as file names (closes #5652). --directories: Consider arguments as directory names; this is default mode, for compatibility with previous releases. * Wed Dec 29 2004 Dmitry V. Levin 0.7.11-alt1 - check_fhs: allow /usr/libexec/. - check_changelog, check_buildtime: enhanced wording. * Fri Nov 19 2004 Dmitry V. Levin 0.7.10-alt1 - check_content: added few checks for intersections with known packages. - fhs: added rule for udev. * Thu Nov 11 2004 Dmitry V. Levin 0.7.9-alt2 - Check for file type before rpmquery. - New option: --recursive. - Updated package dependencies. * Fri Oct 22 2004 Dmitry V. Levin 0.7.8-alt1 - Implemented support for check_gpgname() exceptions (legion). * Wed Sep 01 2004 Dmitry V. Levin 0.7.7-alt1 - check_content, check_fhs: enhanced error diagnostics. * Tue Aug 31 2004 Dmitry V. Levin 0.7.6-alt1 - check_gpgname: made the check case-insensitive. - check_fhs: added /lib64 and /usr/lib64 to builtin list. * Fri Aug 13 2004 Dmitry V. Levin 0.7.5-alt1 - New option: --trust-gpg-names. * Wed Aug 11 2004 Dmitry V. Levin 0.7.4.1-alt1 - check_gpgname: enhanced error diagnostics. * Tue Aug 10 2004 Dmitry V. Levin 0.7.4-alt1 - check_gpgname: new check. * Wed Jul 07 2004 Dmitry V. Levin 0.7.3-alt1 - check_fhs,check_intersects: do not use command substitutions. - Enhanced error diagnostics a bit. * Thu Jun 24 2004 Dmitry V. Levin 0.7.2-alt1 - Moved sisyphus_check to separate subpackage. * Mon Jun 07 2004 Dmitry V. Levin 0.7.1-alt1 - functions: fixed quiet mode. - sisyphus_check: added new option: verbose. - sisyphus_add_new: enabled quiet mode by default. * Sat Jun 05 2004 Dmitry V. Levin 0.7.0-alt1 - functions: optimized, thanks to legion@. - functions/check_buildtime: new check. - functions/check: use it. - sisyphus_check: added new options: quiet, fast-check, show-bad-files. * Thu May 13 2004 Dmitry V. Levin 0.6.0-alt1 - sisyphus_relink: added support for new style lists. - functions/{check_summary,check_description}: new checks. - functions/check: use them. * Thu Feb 19 2004 Dmitry V. Levin 0.5.6-alt1 - functions/check_changelog: added check for empty changelog text. * Mon Feb 09 2004 Dmitry V. Levin 0.5.5-alt1 - functions/check_deps: + added initscripts to the list of forbidden dependencies. - functions/check_nvr: + new check (for invalid name-version-release). - functions/check: + use it. * Wed Nov 26 2003 Dmitry V. Levin 0.5.4-alt1 - functions/check_content: new check (forbidden .la files). - config: + define VERSION; + added --no-oldhashfile to GENBASEDIR_OPT_ARGS. - sisyphus_genhash: pass architecture and version to genbasedir. * Sun Nov 02 2003 Dmitry V. Levin 0.5.3-alt1 - sisyphus_check: + new option: --no-check=LIST; + better error diagnostics. * Tue Oct 28 2003 Dmitry V. Levin 0.5.2-alt1 - sisyphus/fhs: new file. - functions: use it. - sisyphus_check,sisyphus_add_new: turn into bash script. - functions/check_gpg: ignore default keyring. - functions/check*: better error checking. * Fri Oct 17 2003 Dmitry V. Levin 0.5.1-alt1 - functions/check_changelog: added check for packager format. - functions,sisyphus_check: added support to skip some checks. - functions/check*: better error checking. * Tue Sep 23 2003 Dmitry V. Levin 0.4.10-alt1 - functions/check_deps: added check for invalid dependencies. * Thu Sep 18 2003 Dmitry V. Levin 0.4.9-alt1 - functions/check_printable: new check. - functions/check: use it (#932). - functions/upload_{src,bin}: remove unused functions. - functions/check*: better error checking. * Tue Sep 09 2003 Dmitry V. Levin 0.4.8-alt1 - functions/check_buildhost: new check. - functions/check: use it. * Wed Aug 20 2003 Dmitry V. Levin 0.4.7-alt1 - sisyphus_gen_contents: new script. - functions/check_fhs: fixed possible false alarms on empty list. - functions/check_deps: added to forbidden requires: fileutils, sh-utils, textutils. * Thu Jun 05 2003 Stanislav Ievlev 0.4.6-alt1.1 - sync * Wed May 14 2003 Dmitry V. Levin 0.4.6-alt1 - sisyphus_check: check deps. * Tue Apr 29 2003 Dmitry V. Levin 0.4.5-alt1 - sisyphus_check: check permisions in source archive. * Sat Apr 19 2003 Dmitry V. Levin 0.4.4-alt1 - Updated. * Wed Feb 19 2003 Stanislav Ievlev 0.4.3-alt1 - sync. new checks (FHS) * Tue Dec 10 2002 Stanislav Ievlev 0.4.2-alt1 - sync. new relink algo by ldv. unset LC_* * Mon Oct 21 2002 Stanislav Ievlev 0.4.1-alt5 - sync * Fri Sep 27 2002 Stanislav Ievlev 0.4.1-alt4 - sync * Tue Sep 10 2002 Stanislav Ievlev 0.4.1-alt3 - sync with latest changes: - new utils: sisyphus_relink sisyphus_add_new * Tue Aug 13 2002 Stanislav Ievlev 0.4.1-alt2 - rebuild to fix deps * Mon Aug 12 2002 Stanislav Ievlev 0.4.1-alt1 - sync last changes - added changelog checking * Thu Aug 08 2002 Stanislav Ievlev 0.4-alt1 - sync last changes - added symlink incoming_cleanup to sisyphus_cleanup_incoming - added automatic package group check, suid/sgid check - added sisyphus_check utility - check() moved to functions - /etc/sisyphus/functions no config(noreplace) now * Thu Jun 20 2002 Dmitry V. Levin 0.3.1-alt1 - More code cleanup. * Thu Jun 20 2002 Dmitry V. Levin 0.3-alt1 - Specfile and code cleanup. * Mon Jun 10 2002 Stanislav Ievlev 0.2-alt1 - added master repository - added cleanup dups script * Wed Jun 05 2002 Stanislav Ievlev 0.1-alt1 - Inital release for Sisyphus