--- /dev/null
+Check-Script: scripts
+Author: Richard Braakman <dark@xs4all.nl>
+Abbrev: scr
+Type: binary
+Unpack-Level: 2
+Info: This script checks the #! lines of scripts in a package.
+Needs-Info: file-info, scripts
+
+Tag: script-without-interpreter
+Severity: important
+Certainty: certain
+Info: This file starts with the #! sequence that identifies scripts, but
+ it does not name an interpreter.
+
+Tag: executable-not-elf-or-script
+Severity: normal
+Certainty: certain
+Info: This executable file is not an ELF format binary, and does not start
+ with the #! sequence that marks interpreted scripts. It might be a sh script
+ that fails to name /bin/sh as its shell.
+Ref: policy 10.4
+
+Tag: script-not-executable
+Severity: normal
+Certainty: certain
+Info: This file starts with the #! sequence that marks interpreted scripts,
+ but it is not executable.
+
+Tag: interpreter-not-absolute
+Severity: normal
+Certainty: certain
+Info: This script uses a relative path to locate its interpreter.
+ This path will be taken relative to the caller's current directory, not
+ the script's, so it is not likely to be what was intended.
+
+Tag: unusual-interpreter
+Severity: normal
+Certainty: possible
+Info: This package contains a script for an interpreter that the Maemian
+ maintainers have not heard of. It could be a typo for a common
+ interpreter. If not, please file a wishlist bug on lintian so that the
+ Maemian maintainers can add this interpreter to their list.
+
+Tag: script-uses-bin-env
+Severity: normal
+Certainty: certain
+Info: This script uses /bin/env as its interpreter (used to find the
+ actual interpreter on the user's path). There is no /bin/env on Debian
+ systems; env is instead installed as /usr/bin/env. Usually, the path to
+ env in the script should be changed.
+
+Tag: forbidden-config-interpreter
+Severity: important
+Certainty: certain
+Info: This package contains a <tt>config</tt> script for pre-configuring
+ the package. During pre-configuration, however, only essential packages
+ are guaranteed to be installed, so you cannot use a non-essential
+ interpreter.
+
+Tag: forbidden-postrm-interpreter
+Severity: serious
+Certainty: certain
+Info: This package contains a <tt>postrm</tt> maintainer script that uses
+ an interpreter that isn't essential. The <tt>purge</tt> action of
+ <tt>postrm</tt> can only rely on essential packages, which means the
+ interpreter used by <tt>postrm</tt> must be one of the essential ones
+ (<tt>sh</tt>, <tt>bash</tt>, or <tt>perl</tt>).
+Ref: policy 7.2
+
+Tag: unusual-control-interpreter
+Severity: minor
+Certainty: certain
+Info: This package contains a control script for an interpreter that is
+ not normally used for control scripts. This is permissible but not
+ recommended. It makes it harder for other developers to understand your
+ package.
+
+Tag: unknown-control-interpreter
+Severity: important
+Certainty: possible
+Info: This package contains a maintainer script that uses an interpreter
+ that the Maemian maintainers have not heard of. This is usually a typo
+ for a common interpreter. If not, please file a wishlist bug on lintian
+ so that the Maemian maintainers can add this interpreter to their list.
+
+Tag: interpreter-in-usr-local
+Severity: important
+Certainty: certain
+Info: This package contains a script that looks for an interpreter in a
+ directory in /usr/local. Since Debian does not install anything in
+ /usr/local, this is the wrong place to look.
+
+Tag: control-interpreter-in-usr-local
+Severity: serious
+Certainty: certain
+Info: A control script for this package references an interpreter in a
+ directory in <tt>/usr/local</tt>. Control scripts must use interpreters
+ provided by Debian packages, and Debian packages do not install anything
+ in <tt>/usr/local</tt>.
+
+Tag: preinst-interpreter-without-predepends
+Severity: serious
+Certainty: certain
+Info: The package contains a <tt>preinst</tt> maintainer script that uses
+ an unusual and non-essential interpreter but does not declare a
+ pre-dependency on the package that provides this interpreter.
+ .
+ <tt>preinst</tt> scripts should be written using only essential
+ interpreters to avoid additional dependency complexity. Please do not
+ add a pre-dependency without following the policy for doing so (Policy
+ section 3.5).
+Ref: policy 7.2
+
+Tag: control-interpreter-without-depends
+Severity: serious
+Certainty: possible
+Info: The package contains a maintainer script that uses an unusual and
+ non-essential interpreter but does not declare a dependency on the
+ package that provides this interpreter.
+Ref: policy 7.2
+
+Tag: missing-dep-for-interpreter
+Severity: important
+Certainty: possible
+Info: You used an interpreter for a script that is not in an essential
+ package. In most cases, you will need to add a Dependency on the
+ package that contains the interpreter. If the dependency is already
+ present, please file a bug against Maemian with the details of your
+ package so that its database can be updated.
+ .
+ In some cases a weaker relationship, such as Suggests or Recommends, will
+ be more appropriate.
+
+Tag: csh-considered-harmful
+Severity: normal
+Certainty: certain
+Info: The Debian policy for scripts explicitly warns against using csh
+ and tcsh as scripting languages.
+Ref: policy 10.4
+
+Tag: suid-perl-script-but-no-perl-suid-dep
+Severity: important
+Certainty: certain
+Info: Packages that use perl scripts that are suid must depend on the
+ perl-suid package.
+ .
+ In some cases a weaker relationship, such as Suggests or Recommends, will
+ be more appropriate.
+
+Tag: wrong-path-for-interpreter
+Severity: important
+Certainty: certain
+Info: The interpreter you used is installed at another location on Debian
+ systems.
+
+Tag: gawk-script-but-no-gawk-dep
+Severity: important
+Certainty: certain
+Info: Packages that use gawk scripts must depend on the gawk package.
+ If they don't need gawk-specific features, and can just as easily work
+ with mawk, then they should be awk scripts instead.
+ .
+ In some cases a weaker relationship, such as Suggests or Recommends, will
+ be more appropriate.
+
+Tag: mawk-script-but-no-mawk-dep
+Severity: important
+Certainty: certain
+Info: Packages that use mawk scripts must depend on the mawk package.
+ If they don't need mawk-specific features, and can just as easily work
+ with gawk, then they should be awk scripts instead.
+ .
+ In some cases a weaker relationship, such as Suggests or Recommends, will
+ be more appropriate.
+
+Tag: php-script-but-no-phpX-cli-dep
+Severity: important
+Certainty: certain
+Info: Packages with PHP scripts must depend on a phpX-cli package such as
+ php5-cli. Note that a dependency on a php-cgi package (such as php5-cgi)
+ is needlessly strict and forces the user to install a package that isn't
+ needed.
+ .
+ In some cases a weaker relationship, such as Suggests or Recommends, will
+ be more appropriate.
+ .
+ Maemian can only recognize phpX-cli dependencies for values of X that it
+ knows are available in the archive. You will get this warning if you
+ allow, as alternatives, versions of PHP that are so old they're not
+ available in stable. The correct fix in those cases is probably to drop
+ the old alternative. If this package depends on a newer php-cli package
+ that Maemian doesn't know about, please file a bug against Maemian so
+ that it can be updated.
+
+Tag: python-script-but-no-python-dep
+Severity: important
+Certainty: certain
+Info: Packages with Python scripts must depend on the package python.
+ Those that have scripts executed with a versioned python package need a
+ dependency on the equivalent version of python.
+ .
+ For example, if a script in the package uses <tt>#!/usr/bin/python</tt>,
+ the package needs a dependency on "python". If a script uses
+ <tt>#!/usr/bin/python2.5</tt>, the package need a dependency on
+ "python2.5".
+ .
+ In some cases a weaker relationship, such as Suggests or Recommends, will
+ be more appropriate.
+
+Tag: ruby-script-but-no-ruby-dep
+Severity: important
+Certainty: certain
+Info: Packages with Ruby scripts must depend on the package ruby. Those
+ that have Ruby scripts that run under a specific version of Ruby need a
+ dependency on the equivalent version of Ruby.
+ .
+ For example, if a script in the package uses <tt>#!/usr/bin/ruby</tt>,
+ the package needs a dependency on "ruby". If a script uses
+ <tt>#!/usr/bin/ruby1.9</tt>, then the package need a dependency on
+ "ruby1.9".
+ .
+ In some cases a weaker relationship, such as Suggests or Recommends, will
+ be more appropriate.
+
+Tag: wish-script-but-no-wish-dep
+Severity: important
+Certainty: certain
+Info: Packages that include wish scripts must depend on the virtual
+ package wish or, if they require a specific version of wish or tk, that
+ version of tk.
+ .
+ In some cases a weaker relationship, such as Suggests or Recommends, will
+ be more appropriate.
+
+Tag: tclsh-script-but-no-tclsh-dep
+Severity: important
+Certainty: certain
+Info: Packages that include tclsh scripts must depend on the virtual
+ package tclsh or, if they require a specific version of tcl, that
+ version of tcl.
+ .
+ In some cases a weaker relationship, such as Suggests or Recommends, will
+ be more appropriate.
+
+Tag: calls-suidperl-directly
+Severity: important
+Certainty: certain
+Info: Since perl version 5.8.3-3, /usr/bin/suidperl shouldn't be called
+ directly anymore (and doing so will lead to errors in most cases) but the
+ script should just use /usr/bin/perl as interpreter which will call
+ suidperl automatically if the script has the suid permission bit set.
+
+Tag: shell-script-fails-syntax-check
+Severity: important
+Certainty: certain
+Info: Running this shell script with the shell's -n option set fails,
+ which means that the script has syntax errors.
+ .
+ Run e.g. <tt>sh -n yourscript</tt> to see the errors yourself.
+
+Tag: maintainer-shell-script-fails-syntax-check
+Severity: serious
+Certainty: certain
+Info: Running this shell script with the shell's -n option set fails,
+ which means that the script has syntax errors. This will likely make
+ the package uninstallable.
+ .
+ Run e.g. <tt>sh -n yourscript</tt> to see the errors yourself.
+
+Tag: possibly-insecure-handling-of-tmp-files-in-maintainer-script
+Severity: normal
+Certainty: possible
+Info: The maintainer script seems to access a file in <tt>/tmp</tt> or
+ some other temporary directory. Since creating temporary files in a
+ world-writable directory is very dangerous, this is likely to be a
+ security bug. Use the <tt>tempfile</tt> or <tt>mktemp</tt> utilities to
+ create temporary files in these directories.
+Ref: policy 10.4
+
+Tag: killall-is-dangerous
+Severity: normal
+Certainty: possible
+Info: The maintainer script seems to call <tt>killall</tt>. Since this
+ utility kills processes by name, it may well end up killing unrelated
+ processes. Most uses of <tt>killall</tt> should use <tt>invoke-rc.d</tt>
+ instead.
+
+Tag: mknod-in-maintainer-script
+Severity: serious
+Certainty: certain
+Ref: policy 10.6
+Info: Maintainer scripts must not create device files directly. They
+ should call MAKEDEV instead.
+
+Tag: start-stop-daemon-in-maintainer-script
+Severity: normal
+Certainty: certain
+Info: The maintainer script seems to call <tt>start-stop-daemon</tt>
+ directly. Long-running daemons should be started and stopped via init
+ scripts using <tt>invoke-rc.d</tt> rather than directly in maintainer
+ scripts.
+Ref: policy 9.3.3.2
+
+Tag: maintainer-script-removes-device-files
+Severity: serious
+Certainty: certain
+Ref: policy 10.6
+Info: Maintainer scripts must not remove device files. This is left to
+ the system administrator.
+
+Tag: read-in-maintainer-script
+Severity: normal
+Certainty: certain
+Ref: policy 3.9.1
+Info: This maintainer script appears to use read to get information from
+ the user. Prompting in maintainer scripts should be done by
+ communicating through a program such as debconf which conforms to the
+ Debian Configuration management specification, version 2 or higher.
+
+Tag: possible-bashism-in-maintainer-script
+Severity: normal
+Certainty: possible
+Ref: policy 10.4
+Info: This script is marked as running under <tt>/bin/sh</tt>, but it seems
+ to use a feature found in bash but not in the SUSv3 or POSIX shell
+ specification.
+ .
+ Examples:
+ '==' in a test, it should use '=' instead
+ 'read' without a variable in the argument
+ 'function' to define a function
+ 'source' instead of '.'
+ '. command args', passing arguments to commands via 'source' is not supported
+ '{foo,bar}' instead of 'foo bar'
+ '[[ test ]]' instead of '[ test ]' (requires a Korn shell)
+ 'type' instead of 'which' or 'command -v'
+
+Tag: suidregister-used-in-maintainer-script
+Severity: important
+Certainty: certain
+Info: This script calls suidregister, a long-obsolete program that has
+ been replaced by dpkg-statoverride.
+
+Tag: maintainer-script-needs-depends-on-update-inetd
+Severity: normal
+Certainty: certain
+Info: This script calls update-inetd, but the package does not depend or
+ pre-depend on inet-superserver, any of the providers of inet-superserver
+ which provide it, or update-inetd.
+ .
+ update-inetd has been moved from netbase into a separate package, so a
+ dependency on netbase should be updated to depend on "openbsd-inetd |
+ inet-superserver".
+
+Tag: maintainer-script-needs-depends-on-adduser
+Severity: normal
+Certainty: certain
+Info: This script calls adduser, but the package does not depend or
+ pre-depend on the adduser package.
+
+Tag: maintainer-script-needs-depends-on-gconf2
+Severity: normal
+Certainty: certain
+Info: This script calls gconf-schemas, which comes from the gconf2 package,
+ but does not depend or pre-depend on gconf2. If you are using dh_gconf,
+ add a dependency on ${misc:Depends} and dh_gconf will take care of this
+ for you.
+
+Tag: maintainer-script-needs-depends-on-ucf
+Severity: normal
+Certainty: certain
+Info: This script calls ucf, but the package does not depend or pre-depend
+ on the ucf package.
+
+Tag: maintainer-script-needs-depends-on-xml-core
+Severity: normal
+Certainty: certain
+Info: This script calls update-xmlcatalog, which comes from the xml-core
+ package, but does not depend or pre-depend on xml-core. Packages that call
+ update-xmlcatalog need to depend on xml-core. If you are using
+ dh_installxmlcatalogs, add a dependency on ${misc:Depends} and
+ dh_installxmlcatalogs will take care of this for you.
+
+Tag: update-alternatives-remove-called-in-postrm
+Severity: normal
+Certainty: certain
+Info: <tt>update-alternatives --remove <alternative> foo</tt> is
+ called in the postrm. This can be dangerous because at the time the
+ postrm is executed foo has already been deleted and update-alternatives
+ will ignore it while constructing its list of available alternatives.
+ Then, if the /etc/alternatives symlink points at foo, update-alternatives
+ won't recognize it and will mark the symlink as something site-specific.
+ As such, the symlink will no longer be updated automatically and will be
+ left dangling until <tt>update-alternatives --auto
+ <alternative></tt> is run by hand.
+ .
+ <tt>update-alternatives --remove</tt> should be called in the prerm
+ instead.
+Ref: policy F, update-alternatives(8)
+
+Tag: deprecated-chown-usage
+Severity: normal
+Certainty: certain
+Info: <tt>chown user.group</tt> is called in one of the maintainer
+ scripts. The correct syntax is <tt>chown user:group</tt>. Using "." as a
+ separator is still supported by the GNU tools, but it will fail as soon
+ as a system uses the "." in user or group names.
+Ref: chown(1)
+
+Tag: maintainer-script-hides-init-failure
+Severity: normal
+Certainty: certain
+Info: This script calls invoke-rc.d to run an init script but then, if the
+ init script fails, exits successfully (using || exit 0). If the init
+ script fails, the maintainer script should probably fail.
+ .
+ The most likely cause of this problem is that the package was built with
+ a debhelper version suffering from Bug#337664 that inserted incorrect
+ invoke-rc.d code in the generated maintainer script. The package needs to
+ be reuploaded (could be bin-NMUd, no source changes needed).
+
+Tag: maintainer-script-calls-init-script-directly
+Severity: serious
+Certainty: certain
+Info: This script apparently runs an init script directly rather than
+ using invoke-rc.d. The use of invoke-rc.d to invoke the /etc/init.d/*
+ initscripts instead of calling them directly is required. Maintainer
+ scripts may call the init script directly only if invoke-rc.d is not
+ available.
+Ref: policy 9.3.3.2
+
+Tag: script-calls-init-script-directly
+Severity: normal
+Certainty: possible
+Info: This script apparently runs an init script directly rather than
+ using <tt>invoke-rc.d</tt>. While use of <tt>invoke-rc.d</tt> is only
+ required for maintainer scripts, supporting the policy layer that it
+ implements is a good idea in any script.
+Ref: policy 9.3.3.2
+
+Tag: gconftool-used-in-maintainer-script
+Severity: normal
+Certainty: possible
+Info: This script apparently runs gconftool or gconftool-2. It should
+ probably be calling gconf-schemas or update-gconf-defaults instead.
+
+Tag: maintainer-script-uses-dpkg-status-directly
+Severity: important
+Certainty: certain
+Info: The file /var/lib/dpkg/status is internal to dpkg, may disappear or
+ change formats, and is not always a correct and complete record of
+ installed packages while dpkg is running. Maintainer scripts should use
+ dpkg-query instead. For the most common case of retrieving conffile
+ information, use:
+ .
+ dpkg-query -W -f='${Conffiles}' <package>
+ .
+ instead.
+Ref: http://wiki.debian.org/DpkgConffileHandling
+
+Tag: maintainer-script-modifies-netbase-managed-file
+Severity: serious
+Certainty: certain
+Info: The maintainer script modifies at least one of the files
+ <tt>/etc/services</tt>, <tt>/etc/protocols</tt>, and <tt>/etc/rpc</tt>,
+ which are managed by the netbase package. Instead of doing this, please
+ file a wishlist bug against netbase to have an appropriate entry added.
+Ref: policy 11.2
+
+Tag: maintainer-script-modifies-inetd-conf
+Severity: serious
+Certainty: certain
+Info: The maintainer script modifies <tt>/etc/inetd.conf</tt> directly.
+ This file must not be modified directly; instead, use the
+ <tt>update-inetd</tt> script or the <tt>DebianNet.pm</tt> Perl module.
+Ref: policy 11.2
+
+Tag: install-sgmlcatalog-deprecated
+Severity: important
+Certainty: certain
+Info: The maintainer script apparently runs install-sgmlcatalog with flags
+ other than <tt>--quiet</tt> and <tt>--remove</tt> or in a maintainer
+ script other than postinst or prerm. install-sgmlcatalog is deprecated
+ and should only be used in postinst or prerm to remove the entries from
+ earlier packages. Given how long ago this transition was, consider
+ removing it entirely.
+
+Tag: maintainer-script-empty
+Severity: minor
+Certainty: certain
+Info: The maintainer script doesn't seem to contain any code other than
+ comments and boilerplate (set -e, exit statements, and the case statement
+ to parse options). While this is harmless in most cases, it is probably
+ not what you wanted, may mean the package will leave unnecessary files
+ behind until purged, and may even lead to problems in rare situations
+ where dpkg would fail if no maintainer script was present.
+ .
+ If the package currently doesn't need to do anything in this maintainer
+ script, it shouldn't be included in the package.
+
+Tag: maintainer-script-ignores-errors
+Severity: normal
+Certainty: certain
+Ref: policy 10.4
+Info: The maintainer script doesn't seem to set the <tt>-e</tt> flag which
+ ensures that the script's execution is aborted when any executed command
+ fails.
+
+Tag: maintainer-script-without-set-e
+Severity: pedantic
+Certainty: certain
+Ref: policy 10.4
+Info: The maintainer script passes <tt>-e</tt> to the shell on the
+ <tt>#!</tt> line rather than using <tt>set -e</tt> in the body of the
+ script. This is fine for normal operation, but if the script is run by
+ hand with <tt>sh /path/to/script</tt> (common in debugging), <tt>-e</tt>
+ will not be in effect. It's therefore better to use <tt>set -e</tt> in
+ the body of the script.
+
+Tag: command-with-path-in-maintainer-script
+Severity: normal
+Certainty: certain
+Info: The indicated program run in a maintainer script has a prepended
+ path. Programs called from maintainer scripts normally should not have a
+ path prepended. dpkg ensures that the PATH is set to a reasonable value,
+ and prepending a path may prevent the local administrator from using a
+ replacement version of a command for some local reason.
+Ref: policy 6.1
+
+Tag: ancient-dpkg-predepends-check
+Severity: minor
+Certainty: certain
+Info: The package calls dpkg --assert-support-predepends in a maintainer
+ script. This check is obsolete and has always returned true since dpkg
+ 1.1.0, released 1996-02-11.
+
+Tag: ancient-dpkg-epoch-check
+Severity: minor
+Certainty: certain
+Info: The package calls dpkg --assert-working-epoch in a maintainer
+ script. This check is obsolete and has always returned true since dpkg
+ 1.4.0.7, released 1997-01-25.
+
+Tag: ancient-dpkg-long-filenames-check
+Severity: minor
+Certainty: certain
+Info: The package calls dpkg --assert-long-filenames in a maintainer
+ script. This check is obsolete and has always returned true since dpkg
+ 1.4.1.17, released 1999-10-21.
+
+Tag: ancient-dpkg-multi-conrep-check
+Severity: minor
+Certainty: certain
+Info: The package calls dpkg --assert-multi-conrep in a maintainer
+ script. This check is obsolete and has always returned true since dpkg
+ 1.4.1.19, released 1999-10-30.
+
+Tag: package-uses-local-diversion
+Severity: serious
+Certainty: certain
+Info: The maintainer script calls dpkg-divert with <tt>--local</tt> or
+ without <tt>--package</tt>. This option is reserved for local
+ administrators and must never be used by a Debian package.
+
+Tag: diversion-for-unknown-file
+Severity: important
+Certainty: certain
+Info: The maintainer script adds a diversion for a file that is not
+ provided by this package.
+
+Tag: orphaned-diversion
+Severity: important
+Certainty: certain
+Info: A diversion was added for the file, but not removed. This means
+ your package doesn't restore the previous state after removal.
+
+Tag: remove-of-unknown-diversion
+Severity: important
+Certainty: certain
+Info: The maintainer script removes a diversion that it didn't add. If
+ you're cleaning up unnecessary diversions from older versions of the
+ package, remove them in <tt>preinst</tt> or <tt>postinst</tt> instead of
+ waiting for <tt>postrm</tt> to do it.