458 lines
11 KiB
Python
458 lines
11 KiB
Python
# -*- python -*-
|
|
|
|
# System wide rpmlint default configuration. Do not modify, override/add
|
|
# options in /etc/rpmlint/config and/or ~/.rpmlintrc as needed.
|
|
|
|
import os.path
|
|
import re
|
|
import sys
|
|
|
|
from Config import *
|
|
import Pkg
|
|
|
|
|
|
setOption("CompressExtension", "gz")
|
|
setOption("DefaultPythonVersion", sys.version[:3])
|
|
setOption("KernelModuleRPMsOK", False)
|
|
setOption("MaxLineLength", 80)
|
|
setOption("NetworkEnabled", True)
|
|
setOption("ReleaseExtension", '\.(fc|rhe?l|el)\d+(?=\.|$)')
|
|
setOption("UseDefaultRunlevels", False)
|
|
setOption("UseEpoch", False)
|
|
setOption("UseUTF8", True)
|
|
setOption("UseVersionInChangeLog", True)
|
|
setOption("ValidSrcPerms", (int("664",8), int("644",8), ))
|
|
|
|
setOption("ValidShells", (
|
|
"<lua>",
|
|
"/bin/sh",
|
|
"/bin/bash",
|
|
"/sbin/ldconfig",
|
|
"/usr/bin/perl",
|
|
"/usr/bin/python",
|
|
))
|
|
|
|
setOption("DanglingSymlinkExceptions", (
|
|
['consolehelper$', 'usermode'],
|
|
['consolehelper-gtk$', 'usermode-gtk'],
|
|
))
|
|
|
|
setOption("ValidLicenses", (
|
|
# These are the short names for all of the Fedora approved licenses.
|
|
# The master list is kept here: http://fedoraproject.org/wiki/Licensing
|
|
# Last synced with revision "2.30, 11 September 2015" of that page.
|
|
'AAL',
|
|
'Abstyles',
|
|
'Adobe',
|
|
'ADSL',
|
|
'AFL',
|
|
'Afmparse',
|
|
'AGPLv1',
|
|
'AGPLv3',
|
|
'AGPLv3+',
|
|
'AGPLv3 with exceptions',
|
|
'AMDPLPA',
|
|
'AML',
|
|
'AMPAS BSD',
|
|
'APAFML',
|
|
'App-s2p',
|
|
'APSL 2.0',
|
|
'APSL 2.0+',
|
|
'ARL',
|
|
'Artistic 2.0',
|
|
'Artistic clarified',
|
|
'ASL 1.0',
|
|
'ASL 1.0+',
|
|
'ASL 1.1',
|
|
'ASL 1.1+',
|
|
'ASL 2.0',
|
|
'ASL 2.0+',
|
|
'Bahyph',
|
|
'Barr',
|
|
'Beerware',
|
|
'BeOpen',
|
|
'Bibtex',
|
|
'BitTorrent',
|
|
'Boost',
|
|
'Borceux',
|
|
'BSD',
|
|
'BSD Protection',
|
|
'BSD with advertising',
|
|
'BSD with attribution',
|
|
'CATOSL',
|
|
'CC0',
|
|
'CeCILL',
|
|
'CeCILL-B',
|
|
'CeCILL-C',
|
|
'CDDL',
|
|
'CNRI',
|
|
'Condor',
|
|
'Copyright only',
|
|
'CPAL',
|
|
'CPL',
|
|
'CRC32',
|
|
'Crossword',
|
|
'Crystal Stacker',
|
|
'Cube',
|
|
'diffmark',
|
|
'DMIT',
|
|
'DOC',
|
|
'Dotseqn',
|
|
'DSDP',
|
|
'dvipdfm',
|
|
'ECL 1.0',
|
|
'ECL 2.0',
|
|
'eCos',
|
|
'EFL 2.0',
|
|
'EFL 2.0+',
|
|
'eGenix',
|
|
'Entessa',
|
|
'EPICS',
|
|
'EPL',
|
|
'ERPL',
|
|
'EU Datagrid',
|
|
'EUPL 1.1',
|
|
'Eurosym',
|
|
'Fair',
|
|
'FSFUL',
|
|
'FSFULLR',
|
|
'FTL',
|
|
'Giftware',
|
|
'GL2PS',
|
|
'Glide',
|
|
'Glulxe',
|
|
'gnuplot',
|
|
'GPL+',
|
|
'GPL+ or Artistic',
|
|
'GPL+ with exceptions',
|
|
'GPLv1',
|
|
'GPLv2 or Artistic',
|
|
'GPLv2+ or Artistic',
|
|
'GPLv2',
|
|
'GPLv2 with exceptions',
|
|
'GPLv2+',
|
|
'GPLv2+ with exceptions',
|
|
'GPLv3',
|
|
'GPLv3 with exceptions',
|
|
'GPLv3+',
|
|
'GPLv3+ with exceptions',
|
|
'HaskellReport',
|
|
'HSRL',
|
|
'IBM',
|
|
'IJG',
|
|
'ImageMagick',
|
|
'iMatix',
|
|
'Imlib2',
|
|
'Intel ACPI',
|
|
'Interbase',
|
|
'ISC',
|
|
'Jabber',
|
|
'JasPer',
|
|
'JPython',
|
|
'Julius',
|
|
'Knuth',
|
|
'Latex2e',
|
|
'LBNL BSD',
|
|
'Leptonica',
|
|
'LGPLv2',
|
|
'LGPLv2 with exceptions',
|
|
'LGPLv2+',
|
|
'LGPLv2+ or Artistic',
|
|
'LGPLv2+ with exceptions',
|
|
'LGPLv3',
|
|
'LGPLv3 with exceptions',
|
|
'LGPLv3+',
|
|
'LGPLv3+ with exceptions',
|
|
'Lhcyr',
|
|
'libtiff',
|
|
'LLGPL',
|
|
'Logica',
|
|
'LOSLA',
|
|
'LPL',
|
|
'LPPL',
|
|
'MakeIndex',
|
|
'mecab-ipadic',
|
|
'midnight',
|
|
'MirOS',
|
|
'MIT',
|
|
'MITNFA',
|
|
'MIT with advertising',
|
|
'mod_macro',
|
|
'Motosoto',
|
|
'MPLv1.0',
|
|
'MPLv1.0+',
|
|
'MPLv1.1',
|
|
'MPLv1.1+',
|
|
'MPLv2.0',
|
|
'MS-PL',
|
|
'MS-RL',
|
|
'MTLL',
|
|
'Mup',
|
|
'Naumen',
|
|
'NCSA',
|
|
'NetCDF',
|
|
'Netscape',
|
|
'Newmat',
|
|
'Newsletr',
|
|
'NGPL',
|
|
'NLPL',
|
|
'Nmap',
|
|
'Nokia',
|
|
'NOSL',
|
|
'Noweb',
|
|
'OML',
|
|
'OpenLDAP',
|
|
'OpenPBS',
|
|
'OpenSSL',
|
|
'OReilly',
|
|
'OSL 1.0',
|
|
'OSL 1.0+',
|
|
'OSL 1.1',
|
|
'OSL 1.1+',
|
|
'OSL 2.0',
|
|
'OSL 2.0+',
|
|
'OSL 2.1',
|
|
'OSL 2.1+',
|
|
'OSL 3.0',
|
|
'OSL 3.0+',
|
|
'Par',
|
|
'Phorum',
|
|
'PHP',
|
|
'PlainTeX',
|
|
'Plexus',
|
|
'PostgreSQL',
|
|
'psfrag',
|
|
'psutils',
|
|
'Public Domain',
|
|
'Python',
|
|
'Qhull',
|
|
'QPL',
|
|
'Rdisc',
|
|
'REX',
|
|
'RiceBSD',
|
|
'Romio',
|
|
'RPSL',
|
|
'Rsfs',
|
|
'Ruby',
|
|
'Saxpath',
|
|
'SCEA',
|
|
'SCRIP',
|
|
'Sendmail',
|
|
'Sleepycat',
|
|
'SISSL',
|
|
'SLIB',
|
|
'SNIA',
|
|
'softSurfer',
|
|
'SPL',
|
|
'STMPL',
|
|
'SWL',
|
|
'TCL',
|
|
'Teeworlds',
|
|
'TGPPL',
|
|
'TGPPL with exceptions',
|
|
'Threeparttable',
|
|
'TMate',
|
|
'Tolua',
|
|
'TORQUEv1.1',
|
|
'TOSL',
|
|
'TPDL',
|
|
'TPL',
|
|
'TTWL',
|
|
'UCD',
|
|
'Unicode',
|
|
'Unlicense',
|
|
'Vim',
|
|
'VNLSL',
|
|
'VOSTROM',
|
|
'VSL',
|
|
'W3C',
|
|
'Webmin',
|
|
'Wsuipa',
|
|
'WTFPL',
|
|
'wxWidgets',
|
|
'Xerox',
|
|
'xinetd',
|
|
'xpp',
|
|
'XSkat',
|
|
'YPLv1.1',
|
|
'Zed',
|
|
'Zend',
|
|
'zlib',
|
|
'zlib with acknowledgement',
|
|
'ZPLv1.0',
|
|
'ZPLv1.0+',
|
|
'ZPLv2.0',
|
|
'ZPLv2.0+',
|
|
'ZPLv2.1',
|
|
'ZPLv2.1+',
|
|
# Documentation licenses
|
|
'CDL',
|
|
'FBSDDL',
|
|
'GFDL',
|
|
'IEEE',
|
|
'LDPL',
|
|
'OFSFDL',
|
|
'Open Publication',
|
|
'Public Use',
|
|
'Verbatim',
|
|
# Content licenses
|
|
'CC-BY',
|
|
'CC-BY-ND',
|
|
'CC-BY-SA',
|
|
'DMTF',
|
|
'DSL',
|
|
'EFML',
|
|
'Free Art',
|
|
'GeoGratis',
|
|
'Green OpenMusic',
|
|
'OAL',
|
|
# Font licenses
|
|
'AMS',
|
|
'Arphic',
|
|
'Baekmuk',
|
|
'Bitstream Vera',
|
|
'DoubleStroke',
|
|
'Hershey',
|
|
'IPA',
|
|
'Liberation',
|
|
'Lucida',
|
|
'MgOpen',
|
|
'mplus',
|
|
'OFL',
|
|
'PTFL',
|
|
'STIX',
|
|
'Utopia',
|
|
'Wadalab',
|
|
'XANO',
|
|
# Others
|
|
'Redistributable, no modification permitted',
|
|
'Freely redistributable without restriction',
|
|
))
|
|
|
|
setOption('SystemLibPaths', ('/lib', '/lib64', '/usr/lib', '/usr/lib64'))
|
|
|
|
# Add systemd dir to ignored path for UsrLibBinaryException
|
|
setOption('UsrLibBinaryException', '^/usr/lib/(perl|python|menu|pkgconfig|systemd|lib[^/]+\.(so|l?a)$)')
|
|
|
|
# Get standard users and groups from the setup package's uidgid file
|
|
setOption('StandardUsers', [])
|
|
setOption('StandardGroups', [])
|
|
setup_pkg = None
|
|
try:
|
|
setup_pkg = Pkg.InstalledPkg('setup')
|
|
except:
|
|
pass
|
|
if setup_pkg:
|
|
users = set()
|
|
groups = set()
|
|
uidgid_regex = re.compile(r'^\s*(\S+)\s+(-|\d+)\s+(-|\d+|\(\d+\))\s')
|
|
for uidgid_file in [x for x in setup_pkg.files() if x.endswith('/uidgid')]:
|
|
if os.path.exists(uidgid_file):
|
|
fobj = open(uidgid_file)
|
|
try:
|
|
for line in fobj.read().strip().splitlines():
|
|
res = uidgid_regex.search(line)
|
|
if res:
|
|
name = res.group(1)
|
|
if res.group(2) != '-':
|
|
users.add(name)
|
|
if res.group(3) != '-' and not '(' in res.group(3):
|
|
groups.add(name)
|
|
del res
|
|
del line
|
|
finally:
|
|
fobj.close()
|
|
del fobj
|
|
setOption('StandardUsers', sorted(users))
|
|
setOption('StandardGroups', sorted(groups))
|
|
del uidgid_regex, uidgid_file, users, groups
|
|
del setup_pkg
|
|
|
|
# Output filters
|
|
addFilter("source-or-patch-not-compressed")
|
|
addFilter("%mklibname")
|
|
addFilter("no-dependency-on (perl|python)-base")
|
|
addFilter("no-dependency-on locales-")
|
|
addFilter("(python|perl5)-naming-policy-not-applied")
|
|
addFilter("no-(packager-tag|signature)")
|
|
addFilter("incoherent-version-in-name")
|
|
addFilter("invalid-build-requires")
|
|
addFilter("ghost-files-without-postin")
|
|
addFilter("postin-without-ghost-file-creation")
|
|
addFilter("no-major-in-name")
|
|
addFilter("no-provides")
|
|
addFilter("executable-in-library-package")
|
|
addFilter("non-versioned-file-in-library-package")
|
|
addFilter("requires-on-release")
|
|
addFilter("jar-not-indexed")
|
|
addFilter("outside-libdir-files")
|
|
addFilter("-debuginfo.* no-documentation")
|
|
addFilter("-debuginfo.* /usr/lib/debug/")
|
|
addFilter("non-standard-dir-in-usr libexec")
|
|
addFilter("^gpg-pubkey:")
|
|
addFilter(" doc-file-dependency .* /bin/sh$")
|
|
addFilter("hardcoded-library-path .*/lib/udev(/|$)")
|
|
addFilter("not-standard-release-extension")
|
|
addFilter("explicit-lib-dependency (liberation-fonts|libertas-.*-firmware|libvirt$|.*-(java|python)$)")
|
|
addFilter("filename-too-long-for-joliet")
|
|
addFilter("symlink-should-be-")
|
|
addFilter("dangling-\S*symlink /usr/share/doc/HTML/\S+/common .+/common$")
|
|
addFilter("hidden-file-or-dir .*/man5/\.k5login\.5[^/]+$")
|
|
addFilter("blender.+ (wrong-script-interpreter|non-executable-script) .+/blender/.+\.py.*BPY.*")
|
|
# Fedora 12 and newer no longer need a buildroot defined, to have the buildroot cleaned at the beginning
|
|
# of %install, and do not need to define a %clean section unless the default is invalid.
|
|
addFilter("no-cleaning-of-buildroot")
|
|
addFilter("no-buildroot-tag")
|
|
addFilter("no-%clean-section")
|
|
# Only EL4 needs the files-attr-not-set check, because rpm 4.4 and newer no longer need a %defattr line
|
|
# (it automatically provides one).
|
|
addFilter("files-attr-not-set")
|
|
# Don't bother with the non-ghost-in-var-(lock|run) checks on Fedora 15 or newer
|
|
# since they have tmpfs /var/lock and /var/run.
|
|
addFilter("non-ghost-in-var-lock")
|
|
addFilter("non-ghost-in-var-run")
|
|
# Someone thought it was a good idea to make .desktop files executable. They were wrong.
|
|
# Nevertheless, I do not yet control the universe, so we squelch the error here.
|
|
addFilter("script-without-shebang .*\.desktop$")
|
|
# Some files in /etc/ are not meant to be modified by the sysadmin
|
|
addFilter("non-conffile-in-etc /etc/rpm/.*$")
|
|
addFilter("non-conffile-in-etc /etc/rc.d/init.d/.*$")
|
|
# Fixed in rpm >= 4.7.1
|
|
addFilter("broken-syntax-in-scriptlet-requires")
|
|
# Files that are intentionally not supposed to be readable
|
|
# Contains passwords
|
|
addFilter("non-readable /etc/ovirt-engine/isouploader.conf")
|
|
# Ignore webservers which are just broken.
|
|
addFilter("invalid-url .*\.googlecode\.com/.*HTTP Error 404")
|
|
addFilter("invalid-url .*\.jboss\.org/.*HTTP Error 403")
|
|
addFilter("invalid-url .*\bitbucket\.org/.*HTTP Error 403")
|
|
|
|
bad_crypto_warning = \
|
|
'''This application package calls a function to explicitly set crypto ciphers
|
|
for SSL/TLS. That may cause the application not to use the system-wide set
|
|
cryptographic policy and should be modified in accordance to:
|
|
https://fedoraproject.org/wiki/Packaging:CryptoPolicies'''
|
|
|
|
call_blacklist = {'crypto-policy-non-compliance-openssl' :
|
|
{'f_name' : 'SSL_CTX_set_cipher_list',
|
|
'description' : bad_crypto_warning},
|
|
'crypto-policy-non-compliance-gnutls-1' :
|
|
{'f_name' : 'gnutls_priority_set_direct',
|
|
'description' : bad_crypto_warning},
|
|
'crypto-policy-non-compliance-gnutls-2' :
|
|
{'f_name' : 'gnutls_priority_init',
|
|
'good_param' : 'SYSLOG',
|
|
'description' : bad_crypto_warning}
|
|
}
|
|
setOption("WarnOnFunction", call_blacklist)
|
|
|
|
# https://bugzilla.redhat.com/496737, https://bugzilla.redhat.com/646455
|
|
for pkg, exe in (("coreutils", "/bin/su"),
|
|
("krb5-workstation", "/usr/kerberos/bin/ksu"),
|
|
("passwd", "/usr/bin/passwd"),
|
|
("sudo", "/usr/bin/sudo(edit)?"),
|
|
("upstart", "/sbin/initctl"),
|
|
("usermode", "/usr/sbin/userhelper")):
|
|
addFilter("%s.* (setuid-binary|non-standard-executable-perm) %s (root )?04"
|
|
% (pkg, exe))
|