X-Git-Url: http://vcs.maemo.org/git/?a=blobdiff_plain;f=checks%2Fscripts.desc;fp=checks%2Fscripts.desc;h=8be8cefb48367a55239398b86f8da80e108b1d96;hb=1960326d487467271f731ff6a62830404a4947af;hp=0000000000000000000000000000000000000000;hpb=ce31209d7230201c69f8f234032a774fbbbc43cd;p=maemian diff --git a/checks/scripts.desc b/checks/scripts.desc new file mode 100644 index 0000000..8be8cef --- /dev/null +++ b/checks/scripts.desc @@ -0,0 +1,583 @@ +Check-Script: scripts +Author: Richard Braakman +Abbrev: scr +Type: binary +Unpack-Level: 2 +Info: This script checks the #! lines of scripts in a package. +Needs-Info: file-info, scripts + +Tag: script-without-interpreter +Severity: important +Certainty: certain +Info: This file starts with the #! sequence that identifies scripts, but + it does not name an interpreter. + +Tag: executable-not-elf-or-script +Severity: normal +Certainty: certain +Info: This executable file is not an ELF format binary, and does not start + with the #! sequence that marks interpreted scripts. It might be a sh script + that fails to name /bin/sh as its shell. +Ref: policy 10.4 + +Tag: script-not-executable +Severity: normal +Certainty: certain +Info: This file starts with the #! sequence that marks interpreted scripts, + but it is not executable. + +Tag: interpreter-not-absolute +Severity: normal +Certainty: certain +Info: This script uses a relative path to locate its interpreter. + This path will be taken relative to the caller's current directory, not + the script's, so it is not likely to be what was intended. + +Tag: unusual-interpreter +Severity: normal +Certainty: possible +Info: This package contains a script for an interpreter that the Maemian + maintainers have not heard of. It could be a typo for a common + interpreter. If not, please file a wishlist bug on lintian so that the + Maemian maintainers can add this interpreter to their list. + +Tag: script-uses-bin-env +Severity: normal +Certainty: certain +Info: This script uses /bin/env as its interpreter (used to find the + actual interpreter on the user's path). There is no /bin/env on Debian + systems; env is instead installed as /usr/bin/env. Usually, the path to + env in the script should be changed. + +Tag: forbidden-config-interpreter +Severity: important +Certainty: certain +Info: This package contains a config script for pre-configuring + the package. During pre-configuration, however, only essential packages + are guaranteed to be installed, so you cannot use a non-essential + interpreter. + +Tag: forbidden-postrm-interpreter +Severity: serious +Certainty: certain +Info: This package contains a postrm maintainer script that uses + an interpreter that isn't essential. The purge action of + postrm can only rely on essential packages, which means the + interpreter used by postrm must be one of the essential ones + (sh, bash, or perl). +Ref: policy 7.2 + +Tag: unusual-control-interpreter +Severity: minor +Certainty: certain +Info: This package contains a control script for an interpreter that is + not normally used for control scripts. This is permissible but not + recommended. It makes it harder for other developers to understand your + package. + +Tag: unknown-control-interpreter +Severity: important +Certainty: possible +Info: This package contains a maintainer script that uses an interpreter + that the Maemian maintainers have not heard of. This is usually a typo + for a common interpreter. If not, please file a wishlist bug on lintian + so that the Maemian maintainers can add this interpreter to their list. + +Tag: interpreter-in-usr-local +Severity: important +Certainty: certain +Info: This package contains a script that looks for an interpreter in a + directory in /usr/local. Since Debian does not install anything in + /usr/local, this is the wrong place to look. + +Tag: control-interpreter-in-usr-local +Severity: serious +Certainty: certain +Info: A control script for this package references an interpreter in a + directory in /usr/local. Control scripts must use interpreters + provided by Debian packages, and Debian packages do not install anything + in /usr/local. + +Tag: preinst-interpreter-without-predepends +Severity: serious +Certainty: certain +Info: The package contains a preinst maintainer script that uses + an unusual and non-essential interpreter but does not declare a + pre-dependency on the package that provides this interpreter. + . + preinst scripts should be written using only essential + interpreters to avoid additional dependency complexity. Please do not + add a pre-dependency without following the policy for doing so (Policy + section 3.5). +Ref: policy 7.2 + +Tag: control-interpreter-without-depends +Severity: serious +Certainty: possible +Info: The package contains a maintainer script that uses an unusual and + non-essential interpreter but does not declare a dependency on the + package that provides this interpreter. +Ref: policy 7.2 + +Tag: missing-dep-for-interpreter +Severity: important +Certainty: possible +Info: You used an interpreter for a script that is not in an essential + package. In most cases, you will need to add a Dependency on the + package that contains the interpreter. If the dependency is already + present, please file a bug against Maemian with the details of your + package so that its database can be updated. + . + In some cases a weaker relationship, such as Suggests or Recommends, will + be more appropriate. + +Tag: csh-considered-harmful +Severity: normal +Certainty: certain +Info: The Debian policy for scripts explicitly warns against using csh + and tcsh as scripting languages. +Ref: policy 10.4 + +Tag: suid-perl-script-but-no-perl-suid-dep +Severity: important +Certainty: certain +Info: Packages that use perl scripts that are suid must depend on the + perl-suid package. + . + In some cases a weaker relationship, such as Suggests or Recommends, will + be more appropriate. + +Tag: wrong-path-for-interpreter +Severity: important +Certainty: certain +Info: The interpreter you used is installed at another location on Debian + systems. + +Tag: gawk-script-but-no-gawk-dep +Severity: important +Certainty: certain +Info: Packages that use gawk scripts must depend on the gawk package. + If they don't need gawk-specific features, and can just as easily work + with mawk, then they should be awk scripts instead. + . + In some cases a weaker relationship, such as Suggests or Recommends, will + be more appropriate. + +Tag: mawk-script-but-no-mawk-dep +Severity: important +Certainty: certain +Info: Packages that use mawk scripts must depend on the mawk package. + If they don't need mawk-specific features, and can just as easily work + with gawk, then they should be awk scripts instead. + . + In some cases a weaker relationship, such as Suggests or Recommends, will + be more appropriate. + +Tag: php-script-but-no-phpX-cli-dep +Severity: important +Certainty: certain +Info: Packages with PHP scripts must depend on a phpX-cli package such as + php5-cli. Note that a dependency on a php-cgi package (such as php5-cgi) + is needlessly strict and forces the user to install a package that isn't + needed. + . + In some cases a weaker relationship, such as Suggests or Recommends, will + be more appropriate. + . + Maemian can only recognize phpX-cli dependencies for values of X that it + knows are available in the archive. You will get this warning if you + allow, as alternatives, versions of PHP that are so old they're not + available in stable. The correct fix in those cases is probably to drop + the old alternative. If this package depends on a newer php-cli package + that Maemian doesn't know about, please file a bug against Maemian so + that it can be updated. + +Tag: python-script-but-no-python-dep +Severity: important +Certainty: certain +Info: Packages with Python scripts must depend on the package python. + Those that have scripts executed with a versioned python package need a + dependency on the equivalent version of python. + . + For example, if a script in the package uses #!/usr/bin/python, + the package needs a dependency on "python". If a script uses + #!/usr/bin/python2.5, the package need a dependency on + "python2.5". + . + In some cases a weaker relationship, such as Suggests or Recommends, will + be more appropriate. + +Tag: ruby-script-but-no-ruby-dep +Severity: important +Certainty: certain +Info: Packages with Ruby scripts must depend on the package ruby. Those + that have Ruby scripts that run under a specific version of Ruby need a + dependency on the equivalent version of Ruby. + . + For example, if a script in the package uses #!/usr/bin/ruby, + the package needs a dependency on "ruby". If a script uses + #!/usr/bin/ruby1.9, then the package need a dependency on + "ruby1.9". + . + In some cases a weaker relationship, such as Suggests or Recommends, will + be more appropriate. + +Tag: wish-script-but-no-wish-dep +Severity: important +Certainty: certain +Info: Packages that include wish scripts must depend on the virtual + package wish or, if they require a specific version of wish or tk, that + version of tk. + . + In some cases a weaker relationship, such as Suggests or Recommends, will + be more appropriate. + +Tag: tclsh-script-but-no-tclsh-dep +Severity: important +Certainty: certain +Info: Packages that include tclsh scripts must depend on the virtual + package tclsh or, if they require a specific version of tcl, that + version of tcl. + . + In some cases a weaker relationship, such as Suggests or Recommends, will + be more appropriate. + +Tag: calls-suidperl-directly +Severity: important +Certainty: certain +Info: Since perl version 5.8.3-3, /usr/bin/suidperl shouldn't be called + directly anymore (and doing so will lead to errors in most cases) but the + script should just use /usr/bin/perl as interpreter which will call + suidperl automatically if the script has the suid permission bit set. + +Tag: shell-script-fails-syntax-check +Severity: important +Certainty: certain +Info: Running this shell script with the shell's -n option set fails, + which means that the script has syntax errors. + . + Run e.g. sh -n yourscript to see the errors yourself. + +Tag: maintainer-shell-script-fails-syntax-check +Severity: serious +Certainty: certain +Info: Running this shell script with the shell's -n option set fails, + which means that the script has syntax errors. This will likely make + the package uninstallable. + . + Run e.g. sh -n yourscript to see the errors yourself. + +Tag: possibly-insecure-handling-of-tmp-files-in-maintainer-script +Severity: normal +Certainty: possible +Info: The maintainer script seems to access a file in /tmp or + some other temporary directory. Since creating temporary files in a + world-writable directory is very dangerous, this is likely to be a + security bug. Use the tempfile or mktemp utilities to + create temporary files in these directories. +Ref: policy 10.4 + +Tag: killall-is-dangerous +Severity: normal +Certainty: possible +Info: The maintainer script seems to call killall. Since this + utility kills processes by name, it may well end up killing unrelated + processes. Most uses of killall should use invoke-rc.d + instead. + +Tag: mknod-in-maintainer-script +Severity: serious +Certainty: certain +Ref: policy 10.6 +Info: Maintainer scripts must not create device files directly. They + should call MAKEDEV instead. + +Tag: start-stop-daemon-in-maintainer-script +Severity: normal +Certainty: certain +Info: The maintainer script seems to call start-stop-daemon + directly. Long-running daemons should be started and stopped via init + scripts using invoke-rc.d rather than directly in maintainer + scripts. +Ref: policy 9.3.3.2 + +Tag: maintainer-script-removes-device-files +Severity: serious +Certainty: certain +Ref: policy 10.6 +Info: Maintainer scripts must not remove device files. This is left to + the system administrator. + +Tag: read-in-maintainer-script +Severity: normal +Certainty: certain +Ref: policy 3.9.1 +Info: This maintainer script appears to use read to get information from + the user. Prompting in maintainer scripts should be done by + communicating through a program such as debconf which conforms to the + Debian Configuration management specification, version 2 or higher. + +Tag: possible-bashism-in-maintainer-script +Severity: normal +Certainty: possible +Ref: policy 10.4 +Info: This script is marked as running under /bin/sh, but it seems + to use a feature found in bash but not in the SUSv3 or POSIX shell + specification. + . + Examples: + '==' in a test, it should use '=' instead + 'read' without a variable in the argument + 'function' to define a function + 'source' instead of '.' + '. command args', passing arguments to commands via 'source' is not supported + '{foo,bar}' instead of 'foo bar' + '[[ test ]]' instead of '[ test ]' (requires a Korn shell) + 'type' instead of 'which' or 'command -v' + +Tag: suidregister-used-in-maintainer-script +Severity: important +Certainty: certain +Info: This script calls suidregister, a long-obsolete program that has + been replaced by dpkg-statoverride. + +Tag: maintainer-script-needs-depends-on-update-inetd +Severity: normal +Certainty: certain +Info: This script calls update-inetd, but the package does not depend or + pre-depend on inet-superserver, any of the providers of inet-superserver + which provide it, or update-inetd. + . + update-inetd has been moved from netbase into a separate package, so a + dependency on netbase should be updated to depend on "openbsd-inetd | + inet-superserver". + +Tag: maintainer-script-needs-depends-on-adduser +Severity: normal +Certainty: certain +Info: This script calls adduser, but the package does not depend or + pre-depend on the adduser package. + +Tag: maintainer-script-needs-depends-on-gconf2 +Severity: normal +Certainty: certain +Info: This script calls gconf-schemas, which comes from the gconf2 package, + but does not depend or pre-depend on gconf2. If you are using dh_gconf, + add a dependency on ${misc:Depends} and dh_gconf will take care of this + for you. + +Tag: maintainer-script-needs-depends-on-ucf +Severity: normal +Certainty: certain +Info: This script calls ucf, but the package does not depend or pre-depend + on the ucf package. + +Tag: maintainer-script-needs-depends-on-xml-core +Severity: normal +Certainty: certain +Info: This script calls update-xmlcatalog, which comes from the xml-core + package, but does not depend or pre-depend on xml-core. Packages that call + update-xmlcatalog need to depend on xml-core. If you are using + dh_installxmlcatalogs, add a dependency on ${misc:Depends} and + dh_installxmlcatalogs will take care of this for you. + +Tag: update-alternatives-remove-called-in-postrm +Severity: normal +Certainty: certain +Info: update-alternatives --remove <alternative> foo is + called in the postrm. This can be dangerous because at the time the + postrm is executed foo has already been deleted and update-alternatives + will ignore it while constructing its list of available alternatives. + Then, if the /etc/alternatives symlink points at foo, update-alternatives + won't recognize it and will mark the symlink as something site-specific. + As such, the symlink will no longer be updated automatically and will be + left dangling until update-alternatives --auto + <alternative> is run by hand. + . + update-alternatives --remove should be called in the prerm + instead. +Ref: policy F, update-alternatives(8) + +Tag: deprecated-chown-usage +Severity: normal +Certainty: certain +Info: chown user.group is called in one of the maintainer + scripts. The correct syntax is chown user:group. Using "." as a + separator is still supported by the GNU tools, but it will fail as soon + as a system uses the "." in user or group names. +Ref: chown(1) + +Tag: maintainer-script-hides-init-failure +Severity: normal +Certainty: certain +Info: This script calls invoke-rc.d to run an init script but then, if the + init script fails, exits successfully (using || exit 0). If the init + script fails, the maintainer script should probably fail. + . + The most likely cause of this problem is that the package was built with + a debhelper version suffering from Bug#337664 that inserted incorrect + invoke-rc.d code in the generated maintainer script. The package needs to + be reuploaded (could be bin-NMUd, no source changes needed). + +Tag: maintainer-script-calls-init-script-directly +Severity: serious +Certainty: certain +Info: This script apparently runs an init script directly rather than + using invoke-rc.d. The use of invoke-rc.d to invoke the /etc/init.d/* + initscripts instead of calling them directly is required. Maintainer + scripts may call the init script directly only if invoke-rc.d is not + available. +Ref: policy 9.3.3.2 + +Tag: script-calls-init-script-directly +Severity: normal +Certainty: possible +Info: This script apparently runs an init script directly rather than + using invoke-rc.d. While use of invoke-rc.d is only + required for maintainer scripts, supporting the policy layer that it + implements is a good idea in any script. +Ref: policy 9.3.3.2 + +Tag: gconftool-used-in-maintainer-script +Severity: normal +Certainty: possible +Info: This script apparently runs gconftool or gconftool-2. It should + probably be calling gconf-schemas or update-gconf-defaults instead. + +Tag: maintainer-script-uses-dpkg-status-directly +Severity: important +Certainty: certain +Info: The file /var/lib/dpkg/status is internal to dpkg, may disappear or + change formats, and is not always a correct and complete record of + installed packages while dpkg is running. Maintainer scripts should use + dpkg-query instead. For the most common case of retrieving conffile + information, use: + . + dpkg-query -W -f='${Conffiles}' <package> + . + instead. +Ref: http://wiki.debian.org/DpkgConffileHandling + +Tag: maintainer-script-modifies-netbase-managed-file +Severity: serious +Certainty: certain +Info: The maintainer script modifies at least one of the files + /etc/services, /etc/protocols, and /etc/rpc, + which are managed by the netbase package. Instead of doing this, please + file a wishlist bug against netbase to have an appropriate entry added. +Ref: policy 11.2 + +Tag: maintainer-script-modifies-inetd-conf +Severity: serious +Certainty: certain +Info: The maintainer script modifies /etc/inetd.conf directly. + This file must not be modified directly; instead, use the + update-inetd script or the DebianNet.pm Perl module. +Ref: policy 11.2 + +Tag: install-sgmlcatalog-deprecated +Severity: important +Certainty: certain +Info: The maintainer script apparently runs install-sgmlcatalog with flags + other than --quiet and --remove or in a maintainer + script other than postinst or prerm. install-sgmlcatalog is deprecated + and should only be used in postinst or prerm to remove the entries from + earlier packages. Given how long ago this transition was, consider + removing it entirely. + +Tag: maintainer-script-empty +Severity: minor +Certainty: certain +Info: The maintainer script doesn't seem to contain any code other than + comments and boilerplate (set -e, exit statements, and the case statement + to parse options). While this is harmless in most cases, it is probably + not what you wanted, may mean the package will leave unnecessary files + behind until purged, and may even lead to problems in rare situations + where dpkg would fail if no maintainer script was present. + . + If the package currently doesn't need to do anything in this maintainer + script, it shouldn't be included in the package. + +Tag: maintainer-script-ignores-errors +Severity: normal +Certainty: certain +Ref: policy 10.4 +Info: The maintainer script doesn't seem to set the -e flag which + ensures that the script's execution is aborted when any executed command + fails. + +Tag: maintainer-script-without-set-e +Severity: pedantic +Certainty: certain +Ref: policy 10.4 +Info: The maintainer script passes -e to the shell on the + #! line rather than using set -e in the body of the + script. This is fine for normal operation, but if the script is run by + hand with sh /path/to/script (common in debugging), -e + will not be in effect. It's therefore better to use set -e in + the body of the script. + +Tag: command-with-path-in-maintainer-script +Severity: normal +Certainty: certain +Info: The indicated program run in a maintainer script has a prepended + path. Programs called from maintainer scripts normally should not have a + path prepended. dpkg ensures that the PATH is set to a reasonable value, + and prepending a path may prevent the local administrator from using a + replacement version of a command for some local reason. +Ref: policy 6.1 + +Tag: ancient-dpkg-predepends-check +Severity: minor +Certainty: certain +Info: The package calls dpkg --assert-support-predepends in a maintainer + script. This check is obsolete and has always returned true since dpkg + 1.1.0, released 1996-02-11. + +Tag: ancient-dpkg-epoch-check +Severity: minor +Certainty: certain +Info: The package calls dpkg --assert-working-epoch in a maintainer + script. This check is obsolete and has always returned true since dpkg + 1.4.0.7, released 1997-01-25. + +Tag: ancient-dpkg-long-filenames-check +Severity: minor +Certainty: certain +Info: The package calls dpkg --assert-long-filenames in a maintainer + script. This check is obsolete and has always returned true since dpkg + 1.4.1.17, released 1999-10-21. + +Tag: ancient-dpkg-multi-conrep-check +Severity: minor +Certainty: certain +Info: The package calls dpkg --assert-multi-conrep in a maintainer + script. This check is obsolete and has always returned true since dpkg + 1.4.1.19, released 1999-10-30. + +Tag: package-uses-local-diversion +Severity: serious +Certainty: certain +Info: The maintainer script calls dpkg-divert with --local or + without --package. This option is reserved for local + administrators and must never be used by a Debian package. + +Tag: diversion-for-unknown-file +Severity: important +Certainty: certain +Info: The maintainer script adds a diversion for a file that is not + provided by this package. + +Tag: orphaned-diversion +Severity: important +Certainty: certain +Info: A diversion was added for the file, but not removed. This means + your package doesn't restore the previous state after removal. + +Tag: remove-of-unknown-diversion +Severity: important +Certainty: certain +Info: The maintainer script removes a diversion that it didn't add. If + you're cleaning up unnecessary diversions from older versions of the + package, remove them in preinst or postinst instead of + waiting for postrm to do it.