rpmlint/rpmlint.config

# -*- python -*-

# System wide rpmlint default configuration.  Do not modify, override/add
# options in /etc/rpmlint/config and/or ~/.rpmlintrc as needed.

import os.path
import re
import sys

from Config import *
import Pkg


setOption("CompressExtension", "gz")
setOption("DefaultPythonVersion", sys.version[:3])
setOption("KernelModuleRPMsOK", False)
setOption("MaxLineLength", 80)
setOption("NetworkEnabled", True)
setOption("ReleaseExtension", r'\.(fc|rhe?l|el)\d+(?=\.|$)')
setOption("UseDebugSource", True)
setOption("UseDefaultRunlevels", False)
setOption("UseEpoch", False)
setOption("UseUTF8", True)
setOption("UseVersionInChangeLog", True)
setOption("ValidSrcPerms", (int("664",8), int("644",8), ))
setOption("ValidGroups", [])

setOption("ValidShells", (
    "<lua>",
    "/bin/sh",
    "/bin/bash",
    "/sbin/ldconfig",
    "/usr/bin/perl",
    "/usr/bin/python",
    "/usr/bin/python2",
    "/usr/bin/python3",
))

setOption("DanglingSymlinkExceptions", (
    ['consolehelper$', 'usermode'],
    ['consolehelper-gtk$', 'usermode-gtk'],
))

setOption("ValidLicenses", (
    # These are the short names for all of the Fedora approved licenses.
    # The master list is kept here: http://fedoraproject.org/wiki/Licensing
    # Last synced with revision "2.47, July 3, 2018" of that page.
    'AAL',
    'Abstyles',
    'Adobe',
    'ADSL',
    'AFL',
    'Afmparse',
    'AGPLv1',
    'AGPLv3',
    'AGPLv3+',
    'AGPLv3 with exceptions',
    'AMDPLPA',
    'AML',
    'AMPAS BSD',
    'ANTLR-PD',
    'APAFML',
    'App-s2p',
    'APSL 2.0',
    'ARL',
    'Array',
    'Artistic 2.0',
    'Artistic clarified',
    'ASL 1.0',
    'ASL 1.1',
    'ASL 2.0',
    'Bahyph',
    'Barr',
    'Beerware',
    'BeOpen',
    'Bibtex',
    'BitTorrent',
    'Boost',
    'Borceux',
    'BSD',
    'BSD Protection',
    'BSD with advertising',
    'BSD with attribution',
    'CATOSL',
    'CC0',
    'CeCILL',
    'CeCILL-B',
    'CeCILL-C',
    'CDDL-1.0',
    'CDDL-1.1',
    'CNRI',
    'Condor',
    'Copyright only',
    'CPAL',
    'CPL',
    'CPM',
    'CRC32',
    'Crossword',
    'Crystal Stacker',
    'Cube',
    'diffmark',
    'DMIT',
    'DOC',
    'Dotseqn',
    'DSDP',
    'dvipdfm',
    'DWPL',
    'ECL 1.0',
    'ECL 2.0',
    'eCos',
    'EFL 2.0',
    'eGenix',
    'Entessa',
    'EPICS',
    'EPL-1.0',
    'EPL-2.0',
    'ERPL',
    'EU Datagrid',
    'EUPL 1.1',
    'Eurosym',
    'Fair',
    'FDK-AAC',
    'FSFAP',
    'FSFUL',
    'FSFULLR',
    'FTL',
    'Giftware',
    'GL2PS',
    'Glide',
    'Glulxe',
    'gnuplot',
    'GPL+',
    'GPL+ or Artistic',
    'GPL+ with exceptions',
    'GPLv1',
    'GPLv2 or Artistic',
    'GPLv2+ or Artistic',
    'GPLv2',
    'GPLv2 with exceptions',
    'GPLv2+',
    'GPLv2+ with exceptions',
    'GPLv3',
    'GPLv3 with exceptions',
    'GPLv3+',
    'GPLv3+ with exceptions',
    'HaskellReport',
    'HSRL',
    'IBM',
    'IJG',
    'ImageMagick',
    'iMatix',
    'Imlib2',
    'Inner-Net',
    'Intel ACPI',
    'Interbase',
    'ISC',
    'Jabber',
    'JasPer',
    'JPython',
    'Julius',
    'Knuth',
    'Latex2e',
    'LBNL BSD',
    'Leptonica',
    'LGPLv2',
    'LGPLv2 with exceptions',
    'LGPLv2+',
    'LGPLv2+ or Artistic',
    'LGPLv2+ with exceptions',
    'LGPLv3',
    'LGPLv3 with exceptions',
    'LGPLv3+',
    'LGPLv3+ with exceptions',
    'Lhcyr',
    'libtiff',
    'LLGPL',
    'Logica',
    'LOSLA',
    'LPL',
    'LPPL',
    'MakeIndex',
    'mecab-ipadic',
    'midnight',
    'MirOS',
    'MIT',
    'MITNFA',
    'MIT with advertising',
    'mod_macro',
    'Motosoto',
    'MPLv1.0',
    'MPLv1.1',
    'MPLv2.0',
    'MS-PL',
    'MS-RL',
    'MTLL',
    'Mup',
    'Naumen',
    'NCSA',
    'NetCDF',
    'Netscape',
    'Newmat',
    'Newsletr',
    'NGPL',
    'NISTSL',
    'NLPL',
    'Nmap',
    'Nokia',
    'NOSL',
    'Noweb',
    'OGL',
    'OML',
    'OpenLDAP',
    'OpenPBS',
    'OpenSSL',
    'OReilly',
    'OSL 1.0',
    'OSL 1.1',
    'OSL 2.0',
    'OSL 2.1',
    'OSL 3.0',
    'Par',
    'Phorum',
    'PHP',
    'PlainTeX',
    'Plexus',
    'PostgreSQL',
    'psfrag',
    'psutils',
    'Public Domain',
    'Python',
    'Qhull',
    'QPL',
    'radvd',
    'Rdisc',
    'REX',
    'RiceBSD',
    'Romio',
    'RPSL',
    'RSA',
    'Rsfs',
    'Ruby',
    'Saxpath',
    'Sequence',
    'SCEA',
    'SCRIP',
    'Sendmail',
    'Sleepycat',
    'SISSL',
    'SLIB',
    'SNIA',
    'softSurfer',
    'SPL',
    'STMPL',
    'SWL',
    'TCGL',
    'TCL',
    'Teeworlds',
    'TGPPL',
    'TGPPL with exceptions',
    'Threeparttable',
    'TMate',
    'Tolua',
    'TORQUEv1.1',
    'TOSL',
    'TPDL',
    'TPL',
    'TTWL',
    'Tumbolia',
    'UCAR',
    'UCD',
    'Unicode',
    'Unlicense',
    'Vim',
    'VNLSL',
    'VOSTROM',
    'VSL',
    'W3C',
    'Webmin',
    'Wsuipa',
    'WTFPL',
    'wxWidgets',
    'wxWindows',
    'Xerox',
    'xinetd',
    'xpp',
    'XSkat',
    'YPLv1.1',
    'Zed',
    'Zend',
    'zlib',
    'zlib with acknowledgement',
    'ZPLv1.0',
    'ZPLv2.0',
    'ZPLv2.1',
    # Documentation licenses
    'CDL',
    'FBSDDL',
    'GFDL',
    'IEEE',
    'LDPL',
    'OFSFDL',
    'Open Publication',
    'Public Use',
    'Verbatim',
    # Content licenses
    'CC-BY',
    'CC-BY-ND',
    'CC-BY-SA',
    'DMTF',
    'DSL',
    'EFML',
    'Free Art',
    'GeoGratis',
    'Green OpenMusic',
    'OAL',
    'PDDL-1.0',
    # Font licenses
    'AMS',
    'Arphic',
    'Baekmuk',
    'Bitstream Vera',
    'Charter',
    'DoubleStroke',
    'ec',
    'Elvish',
    'Hershey',
    'HOFL',
    'IPA',
    'Liberation',
    'Lucida',
    'MgOpen',
    'mplus',
    'OFL',
    'PTFL',
    'Punknova',
    'STIX',
    'Utopia',
    'Wadalab',
    'XANO',
    # Others
    'Redistributable, no modification permitted',
    'Freely redistributable without restriction',
))

setOption('SystemLibPaths', ('/lib', '/lib64', '/usr/lib', '/usr/lib64'))

# Add systemd dir to ignored path for UsrLibBinaryException
setOption('UsrLibBinaryException', r'^/usr/lib(64)?/(perl|python|ruby|menu|pkgconfig|ocaml|systemd|lib[^/]+\.(so|l?a)$|\.build-id)')

# Get standard users and groups from the setup package's uidgid file
setOption('StandardUsers', [])
setOption('StandardGroups', [])
setup_pkg = None
try:
    setup_pkg = Pkg.InstalledPkg('setup')
except:
    pass
if setup_pkg:
    users = set()
    groups = set()
    uidgid_regex = re.compile(r'^\s*(\S+)\s+(-|\d+)\s+(-|\d+|\(\d+\))\s')
    for uidgid_file in [x for x in setup_pkg.files() if x.endswith('/uidgid')]:
        if os.path.exists(uidgid_file):
            fobj = open(uidgid_file)
            try:
                for line in fobj.read().strip().splitlines():
                    res = uidgid_regex.search(line)
                    if res:
                        name = res.group(1)
                        if res.group(2) != '-':
                            users.add(name)
                        if res.group(3) != '-' and not '(' in res.group(3):
                            groups.add(name)
                    del res
                del line
            finally:
                fobj.close()
            del fobj
    setOption('StandardUsers', sorted(users))
    setOption('StandardGroups', sorted(groups))
    del uidgid_regex, uidgid_file, users, groups
del setup_pkg

# Output filters
addFilter("source-or-patch-not-compressed")
addFilter("%mklibname")
addFilter("no-dependency-on (perl|python)-base")
addFilter("no-dependency-on locales-")
addFilter("(python|perl5)-naming-policy-not-applied")
addFilter("no-(packager-tag|signature)")
addFilter("incoherent-version-in-name")
addFilter("invalid-build-requires")
addFilter("ghost-files-without-postin")
addFilter("postin-without-ghost-file-creation")
addFilter("no-major-in-name")
addFilter("no-provides")
addFilter("executable-in-library-package")
addFilter("non-versioned-file-in-library-package")
addFilter("requires-on-release")
addFilter("jar-not-indexed")
addFilter("outside-libdir-files")
addFilter("-debug(info|source).* no-documentation")
addFilter("-debuginfo.* /usr/lib/debug/")
addFilter("-debugsource.* /usr/src/debug/")
addFilter("non-standard-dir-in-usr libexec")
addFilter("^gpg-pubkey:")
addFilter(" doc-file-dependency .* /bin/sh$")
addFilter("hardcoded-library-path .*/lib/udev(/|$)")
addFilter("not-standard-release-extension")
addFilter("explicit-lib-dependency (liberation-fonts|libertas-.*-firmware|libvirt$|.*-(java|python|utils)$)")
addFilter("explicit-lib-dependency (python-.*lib.*|python2-.*lib.*|python3-.*lib.*)$")
addFilter("explicit-lib-dependency libreoffice.*$")
addFilter("filename-too-long-for-joliet")
addFilter("symlink-should-be-")
addFilter(r"dangling-\S*symlink /usr/share/doc/HTML/\S+/common .+/common$")
addFilter(r"hidden-file-or-dir .*/man5/\.k5login\.5[^/]+$")
addFilter(r"blender.+ (wrong-script-interpreter|non-executable-script) .+/blender/.+\.py.*BPY.*")
# Fedora 12 and newer no longer need a buildroot defined, to have the buildroot cleaned at the beginning
# of %install, and do not need to define a %clean section unless the default is invalid.
addFilter("no-cleaning-of-buildroot")
addFilter("no-buildroot-tag")
addFilter("no-%clean-section")
# Only EL4 needs the files-attr-not-set check, because rpm 4.4 and newer no longer need a %defattr line
# (it automatically provides one).
addFilter("files-attr-not-set")
# Don't bother with the non-ghost-in-run checks, /var/lock and /var/run are
# symlinks to /run/lock and /run respectively, and /run is a tmpfs
addFilter("non-ghost-in-run")
# Someone thought it was a good idea to make .desktop files executable. They were wrong.
# Nevertheless, I do not yet control the universe, so we squelch the error here.
addFilter(r"script-without-shebang .*\.desktop$")
# Some files in /etc/ are not meant to be modified by the sysadmin
addFilter("non-conffile-in-etc /etc/rpm/.*$")
addFilter("non-conffile-in-etc /etc/rc.d/init.d/.*$")
# Fixed in rpm >= 4.7.1
addFilter("broken-syntax-in-scriptlet-requires") 
# Files that are intentionally not supposed to be readable
# Contains passwords
addFilter("non-readable /etc/ovirt-engine/isouploader.conf")
# Ignore webservers which are just broken.
addFilter(r"invalid-url .*\.googlecode\.com/.*HTTP Error 404")
addFilter(r"invalid-url .*\.jboss\.org/.*HTTP Error 403")
addFilter(r"invalid-url .*bitbucket\.org/.*HTTP Error 403")
addFilter(r"invalid-url .*github\.com/.*HTTP Error 403")
# Don't care about long descriptions on debuginfo packages
# They automatically include the package name and are always
# quite long.
addFilter("-debuginfo.* description-line-too-long")
# ignore "common" jargon words
# https://bugzilla.redhat.com/show_bug.cgi?id=1424684#c9
addFilter(r"spelling-error.* \b(runtime|Runtime|metadata|cryptographic|multi|linux|filesystem|filesystems|backend|backends|userspace|addon|wayland|Wayland|util|utils|lossless|virtualization|toolkits|libvirtd|crypto|glyphs|GStreamer|http|extensibility|codec|codecs|truetype|scalable|pluggable|pixbuf|Kerberos|customizable|bitstream|tcp|libXss|libs|libc|encodings|GLib|udev|posix|libpng|glapi|gbm|freedesktop|spi|realtime|preprocessor|libaudit|hypervisor|embeddable|distributable|devel|config|cairo|bootloader|adaptors|pragma|passphrase|malloc|libvirt|libmagic|io|datetime|boolean|argparse|py|pinentry|namespace|middleware|lowlevel|libxcb|libudev|libsoup|libgcrypt|libcom|iSCSI|initramfs|GObject|executables|dialogs|checkpolicy|bitmapped|assistive|btrfs|crypttab|defrag|dracut|hostname|luks|mountpoints|netdev|rpmnew|rpmsave|storaged|tss|unlocker)\b")
# Fedora no longer uses explicit ldconfig %post/%postun as of Fedora 28
addFilter("library-without-ldconfig-postin")
addFilter("library-without-ldconfig-postun")
# Ignore 700 dir perms here
addFilter("non-standard-dir-perm /etc/.* 700")
addFilter("non-standard-dir-perm /var/lib/.* 700")
# Fedora no longer requires install-info scriptlets
addFilter("info-files-without-install-info-postin")
addFilter("info-files-without-install-info-postun")
addFilter("postin-without-install-info")
# pip 20.2 generates PEP 376 "REQUESTED" marker (empty)
addFilter(r"zero-length .+/site-packages/.+\.dist-info/REQUESTED\b")
# py.typed files are empty
addFilter(r"zero-length .+/site-packages/.+/py\.typed\b")
# specfile-errors are listed twice, once with reason and once without
# we filter out the empty ones
addFilter(r"\.(src|spec): (E|W): specfile-error\s+$")

bad_crypto_warning = \
'''This application package calls a function to explicitly set crypto ciphers
for SSL/TLS. That may cause the application not to use the system-wide set
cryptographic policy and should be modified in accordance to:
https://fedoraproject.org/wiki/Packaging:CryptoPolicies'''

call_blacklist = {'crypto-policy-non-compliance-openssl' :
                                     {'f_name' : 'SSL_CTX_set_cipher_list',
                                      'good_param' : 'PROFILE=SYSTEM',
                                      'description' : bad_crypto_warning},
                  'crypto-policy-non-compliance-gnutls-1' :
                                      {'f_name' : 'gnutls_priority_set_direct',
                                       'description' : bad_crypto_warning},
                  'crypto-policy-non-compliance-gnutls-2' :
                                      {'f_name' : 'gnutls_priority_init',
                                       'good_param' : 'SYSTEM',
                                       'description' : bad_crypto_warning}
                 }
setOption("WarnOnFunction", call_blacklist)

# https://bugzilla.redhat.com/496737, https://bugzilla.redhat.com/646455
for pkg, exe in (("coreutils", "/bin/su"),
                 ("krb5-workstation", "/usr/kerberos/bin/ksu"),
                 ("passwd", "/usr/bin/passwd"),
                 ("sudo", "/usr/bin/sudo(edit)?"),
                 ("upstart", "/sbin/initctl"),
                 ("usermode", "/usr/sbin/userhelper")):
    addFilter("%s.* (setuid-binary|non-standard-executable-perm) %s (root )?04"
              % (pkg, exe))