Skip to content

Commit

Permalink
Run lintian on Debian packages
Browse files Browse the repository at this point in the history
lintian is the Debian package linter and catches a number of things we
can improve in our packages. For now I've suppressed everything and
annotated them with TODO/FIXME for others to take on or address
incrementally.

lintian is run at the end of `make build-debs` unless the "FAST"
environment variable is set. Any warning or error causes the build to
fail, but it can be suppressed in the corresponding lintian-overrides
file.

Internally there's a bit of work so we can identify the *.changes file
that we just built, so we first build into a temporary directory, copy
the files into our repository's build, then run lintian in the temporary
directory.

Refs #1785.
  • Loading branch information
legoktm committed Feb 19, 2024
1 parent bb196d2 commit cec1e06
Show file tree
Hide file tree
Showing 12 changed files with 159 additions and 8 deletions.
11 changes: 6 additions & 5 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
PKG_DIR=../proxy make -C securedrop-builder requirements
git config --global --add safe.directory "$GITHUB_WORKSPACE"
git diff --ignore-matching-lines=# --exit-code
build-debs:
strategy:
Expand All @@ -56,16 +56,17 @@ jobs:
lfs: true
- name: Build packages
run: |
DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder ./scripts/build-debs.sh
DEBIAN_VERSION=${{ matrix.debian_version }} BUILDER=securedrop-builder FAST=1 ./scripts/build-debs.sh
- uses: actions/upload-artifact@v4
id: upload
with:
name: build-${{ matrix.debian_version }}
path: build
if-no-files-found: error

# Second round of builds (in parallel) for diffoscoping
build-debs2:
# Another set of builds for lintian checks and also so we can diffoscope
# for reproducibility issues with the first set
lintian:
strategy:
matrix:
debian_version:
Expand Down Expand Up @@ -101,7 +102,7 @@ jobs:
container: debian:bookworm
needs:
- build-debs
- build-debs2
- lintian
steps:
- name: Install dependencies
run: |
Expand Down
22 changes: 22 additions & 0 deletions debian/securedrop-client.lintian-overrides
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
securedrop-client: arch-independent-package-contains-binary-or-object
# This is intentional
securedrop-client: dir-or-file-in-opt
# FIXME
securedrop-client: extended-description-is-empty
# FIXME: fix by switching to arch: any
securedrop-client: missing-dependency-on-libc
# FIXME: remove __pycache__ directories
securedrop-client: package-installs-python-pycache-dir
# FIXME: section shouldn't be "unknown"
securedrop-client: section-is-dh_make-template
# FIXME: fix by switching to arch: any
securedrop-client: unstripped-binary-or-object [opt/venvs/securedrop-client/lib/python3.*/site-packages/markupsafe/*]
securedrop-client: unstripped-binary-or-object [opt/venvs/securedrop-client/lib/python3.*/site-packages/sqlalchemy/*]
# We don't care
securedrop-client: no-manual-page
# FIXME
securedrop-client: package-contains-vcs-control-file [opt/venvs/securedrop-client/.gitignore]
# We don't care about these
securedrop-client: script-not-executable
# This is our virtualenv's interpreter
securedrop-client: unusual-interpreter
16 changes: 16 additions & 0 deletions debian/securedrop-export.lintian-overrides
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Yes, we ship stuff in /opt
securedrop-export: dir-or-file-in-opt [opt/venvs/*]
# FIXME: don't install __pycache__
securedrop-export: package-installs-python-pycache-dir
# FIXME: section shouldn't be "unknown"
securedrop-export: section-is-dh_make-template
# TODO: "does not provide a code like %f, %F, %u or %U in the Exec key."
securedrop-export: desktop-mime-but-no-exec-code [usr/share/applications/send-to-usb.desktop]
# We don't care about man pages
securedrop-export: no-manual-page
# FIXME: don't ship gitignore
securedrop-export: package-contains-vcs-control-file [opt/venvs/securedrop-export/.gitignore]
# Doesn't matter
securedrop-export: script-not-executable
# This is our virtualenv's interpreter
securedrop-export: unusual-interpreter
14 changes: 14 additions & 0 deletions debian/securedrop-keyring.lintian-overrides
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# FIXME
securedrop-keyring: extended-description-is-empty
# This is intentional
securedrop-keyring: file-in-etc-not-marked-as-conffile [etc/apt/trusted.gpg.d/securedrop-keyring.gpg]
# This is intentional
securedrop-keyring: package-installs-apt-keyring [etc/apt/trusted.gpg.d/securedrop-keyring.gpg]
# FIXME: section shouldn't be "unknown"
securedrop-keyring: section-is-dh_make-template
# This is intentional
securedrop-keyring: control-file-is-empty [conffiles]
# FIXME: abbreviate
securedrop-keyring: synopsis-too-long
# TODO: this probably isn't an issue, double check our kernels have fs.protected_hardlinks=1.
securedrop-keyring: recursive-privilege-change
23 changes: 23 additions & 0 deletions debian/securedrop-log.lintian-overrides
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# This is intentional
securedrop-log: dir-or-file-in-opt
# FIXME: remove __pycache__ directories
securedrop-log: package-installs-python-pycache-dir
# FIXME: missing a python3 dependency
securedrop-log: python3-script-but-no-python3-dep
# FIXME: section shouldn't be "unknown"
securedrop-log: section-is-dh_make-template
# TODO: we should ship this in /lib instead
securedrop-log: systemd-service-in-odd-location [etc/systemd/system/securedrop-log.service]
# This is fine
securedrop-log: executable-not-elf-or-script [etc/qubes-rpc/*]
# FIXME: abbreviate
securedrop-log: extended-description-line-too-long
# We don't care
securedrop-log: no-manual-page
# FIXME
securedrop-log: package-contains-vcs-control-file [opt/venvs/securedrop-log/.gitignore]
# We don't care about these
securedrop-log: script-not-executable
# This is our virtualenv's interpreter
securedrop-log: unusual-interpreter
securedrop-log: wrong-path-for-interpreter
24 changes: 24 additions & 0 deletions debian/securedrop-proxy.lintian-overrides
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# FIXME: fix by switching to arch: any
securedrop-proxy: arch-independent-package-contains-binary-or-object
# This is intentional
securedrop-proxy: dir-or-file-in-opt
# FIXME: fix by switching to arch: any
securedrop-proxy: missing-dependency-on-libc
# FIXME: remove __pycache__ directories
securedrop-proxy: package-installs-python-pycache-dir
# FIXME: section shouldn't be "unknown"
securedrop-proxy: section-is-dh_make-template
# FIXME: fix by switching to arch: any
securedrop-proxy: unstripped-binary-or-object [opt/venvs/securedrop-proxy/lib/python3.*/site-packages/yaml/*]
# This is fine
securedrop-proxy: executable-not-elf-or-script [etc/qubes-rpc/*]
# FIXME: abbreviate
securedrop-proxy: extended-description-line-too-long
# We don't care
securedrop-proxy: no-manual-page
# FIXME
securedrop-proxy: package-contains-vcs-control-file [opt/venvs/securedrop-proxy/.gitignore]
# We don't care about these
securedrop-proxy: script-not-executable
# This is our virtualenv's interpreter
securedrop-proxy: unusual-interpreter
8 changes: 8 additions & 0 deletions debian/securedrop-workstation-config.lintian-overrides
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# This is intentional
securedrop-workstation-config: dir-or-file-in-opt
# FIXME: section shouldn't be "unknown"
securedrop-workstation-config: section-is-dh_make-template
# FIXME: abbreviate
securedrop-workstation-config: extended-description-line-too-long
# We're just restarting paxctld, it's fine
securedrop-workstation-config: maintainer-script-calls-systemctl [postinst:28]
8 changes: 8 additions & 0 deletions debian/securedrop-workstation-viewer.lintian-overrides
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# FIXME
securedrop-workstation-viewer: extended-description-is-empty
# FIXME: section shouldn't be "unknown"
securedrop-workstation-viewer: section-is-dh_make-template
# FIXME: Needs "metapackage" in the description
securedrop-workstation-viewer: empty-binary-package
# FIXME: abbreviate
securedrop-workstation-viewer: synopsis-too-long
5 changes: 5 additions & 0 deletions debian/source/lintian-overrides
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
securedrop-client source: python3-depends-but-no-python3-helper
securedrop-client source: ancient-python-version-field
securedrop-client source: custom-compression-in-debian-source-options
securedrop-client source: debhelper-but-no-misc-depends
securedrop-client source: missing-license-paragraph-in-dep5-copyright
5 changes: 2 additions & 3 deletions scripts/build-debs-real.sh
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ apt-get build-dep . --yes
dpkg-buildpackage --no-sign
ls ../
# Copy the built artifacts back and print checksums
mkdir -p /src/build/
mv -v ../*.{buildinfo,changes,deb,dsc,tar.gz} /src/build/
cd /src/build/
mv -v ../*.{buildinfo,changes,deb,dsc,tar.gz} /build/
cd /build/
sha256sum ./*
28 changes: 28 additions & 0 deletions scripts/build-debs.sh
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,36 @@ export CONTAINER="fpf.local/sd-client-builder-${DEBIAN_VERSION}"

. ./scripts/image_prep.sh

# We're going to store artifacts in a temp directory
BUILD_DEST=$(mktemp -d)

$OCI_BIN run --rm $OCI_RUN_ARGUMENTS \
-v "${BUILDER}:/builder:Z" \
-v "${BUILD_DEST}:/build:Z" \
--env NIGHTLY="${NIGHTLY:-}" \
--entrypoint "/src/scripts/build-debs-real.sh" \
$CONTAINER

ls "$BUILD_DEST"
# Copy the build artifacts to our project's /build
mkdir -p build
cp ${BUILD_DEST}/* build/

FAST="${FAST:-}"
if [[ -z $FAST ]]; then
CONTAINER2="fpf.local/sd-client-lintian"
$OCI_BIN build scripts/lintian -t $CONTAINER2
# Display verbose info, and fail on warnings and errors.
# We suppress mismatched-override because of sublte differences in
# bullseye versus bookworm
$OCI_BIN run --rm $OCI_RUN_ARGUMENTS -v "${BUILD_DEST}:/build:Z" $CONTAINER2 \
bash -c \
"lintian --version && lintian \
--info --tag-display-limit 0 \
--fail-on warning --fail-on error \
/build/*.changes \
&& echo OK"
fi

# Clean up temp stuff now that lintian is done (or skipped)
rm -rf "${BUILD_DEST}"
3 changes: 3 additions & 0 deletions scripts/lintian/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
FROM debian:bookworm

RUN apt-get update && apt-get --yes upgrade && apt-get install --yes lintian

0 comments on commit cec1e06

Please sign in to comment.