Package: lintian Severity: wishlist
Hi, please consider adding the following checks to Lintian. They add several checks related to reverse dependencies of Apache HTTPD server packages. I have no strong opinions about the importance and certainty of most tags. Feel free to adapt as desired if you feel like. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D
From 3b694d58943769159e41cc2b6db8c04b72e13a8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arno=20T=C3=B6ll?= <deb...@toell.net> Date: Mon, 2 Apr 2012 19:09:40 +0200 Subject: [PATCH 1/3] Add Apache2 checks --- checks/apache2 | 271 ++++++++++++++++++++ checks/apache2.desc | 136 ++++++++++ t/tests/apache2-modules-general/debian/baz.load | 1 + .../debian/debian/control.in | 44 ++++ .../debian/debian/libapache2-mod-foo.dirs | 2 + .../debian/debian/libapache2-mod-foo.install | 4 + .../debian/debian/libapache2-mod-foo2.dirs | 2 + .../debian/debian/libapache2-mod-foo2.install | 2 + .../debian/debian/libapache2-mod-foo2.postinst | 9 + .../debian/debian/libapache2-mod-foo2.postrm | 9 + .../debian/debian/libapache2-modbaz.dirs | 2 + .../debian/debian/libapache2-modbaz.install | 2 + t/tests/apache2-modules-general/debian/foo | 1 + t/tests/apache2-modules-general/debian/foo.conf | 5 + t/tests/apache2-modules-general/debian/foo.load | 5 + t/tests/apache2-modules-general/desc | 13 + t/tests/apache2-modules-general/tags | 10 + .../debian/debian/control.in | 47 ++++ .../debian/debian/phpmyfoo.dirs | 1 + .../debian/debian/phpmyfoo.install | 1 + .../debian/debian/phpmyfoo.postinst | 11 + .../debian/debian/phpmyfoo.postrm | 8 + .../debian/debian/phpmyfoo2.dirs | 1 + .../debian/debian/phpmyfoo2.install | 2 + .../debian/debian/phpmyfoo3.dirs | 1 + .../debian/debian/phpmyfoo3.install | 1 + .../debian/local-phpmyfoo2.conf | 1 + .../debian/phpmyfoo.conf | 8 + .../debian/phpmyfoo2 | 1 + t/tests/apache2-webapplications-general/desc | 14 + t/tests/apache2-webapplications-general/tags | 13 + 31 files changed, 628 insertions(+), 0 deletions(-) create mode 100644 checks/apache2 create mode 100644 checks/apache2.desc create mode 100644 t/tests/apache2-modules-general/debian/baz.load create mode 100644 t/tests/apache2-modules-general/debian/debian/control.in create mode 100644 t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo.dirs create mode 100644 t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo.install create mode 100644 t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.dirs create mode 100644 t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.install create mode 100644 t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.postinst create mode 100644 t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.postrm create mode 100644 t/tests/apache2-modules-general/debian/debian/libapache2-modbaz.dirs create mode 100644 t/tests/apache2-modules-general/debian/debian/libapache2-modbaz.install create mode 100644 t/tests/apache2-modules-general/debian/foo create mode 100644 t/tests/apache2-modules-general/debian/foo.conf create mode 100644 t/tests/apache2-modules-general/debian/foo.load create mode 100644 t/tests/apache2-modules-general/debian/mod_baz.so create mode 100644 t/tests/apache2-modules-general/debian/mod_foo.so create mode 100644 t/tests/apache2-modules-general/debian/mod_foo2.so create mode 100644 t/tests/apache2-modules-general/desc create mode 100644 t/tests/apache2-modules-general/tags create mode 100644 t/tests/apache2-webapplications-general/debian/debian/control.in create mode 100644 t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.dirs create mode 100644 t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.install create mode 100644 t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.postinst create mode 100644 t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.postrm create mode 100644 t/tests/apache2-webapplications-general/debian/debian/phpmyfoo2.dirs create mode 100644 t/tests/apache2-webapplications-general/debian/debian/phpmyfoo2.install create mode 100644 t/tests/apache2-webapplications-general/debian/debian/phpmyfoo3.dirs create mode 100644 t/tests/apache2-webapplications-general/debian/debian/phpmyfoo3.install create mode 100644 t/tests/apache2-webapplications-general/debian/local-phpmyfoo2.conf create mode 100644 t/tests/apache2-webapplications-general/debian/phpmyfoo.conf create mode 100644 t/tests/apache2-webapplications-general/debian/phpmyfoo2 create mode 100644 t/tests/apache2-webapplications-general/desc create mode 100644 t/tests/apache2-webapplications-general/tags diff --git a/checks/apache2 b/checks/apache2 new file mode 100644 index 0000000..3cc94ed --- /dev/null +++ b/checks/apache2 @@ -0,0 +1,271 @@ +# apache2 -- lintian check script -*- perl -*- +# +# Copyright © 2012 Arno Töll +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, you can find it on the World Wide +# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free +# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, +# MA 02110-1301, USA. + +package Lintian::apache2; + +use strict; +use warnings; + +use File::Basename; +use Lintian::Collect::Binary (); +use Lintian::Tags qw(tag); +use Lintian::Relation (); +use Util; + +sub run { + my $pkg = shift; + my $type = shift; + my $info = shift; + + + # Do nothing if the package in question appears to be related to + # the web server itself + return if $pkg =~ m/^apache2(:?\.2)?(?:-\w+)?$/; + + # whether the package appears to be an Apache2 module/web application + my $seen_apache2_special_file = 0; + + if ($type eq 'binary') { + foreach my $file (@{ $info->sorted_index }) { + next if $file eq ''; + my $file_info = $info->index->{$file}; + + # File is probably not relevant to us, ignore it + next if $file_info->{type} eq 'd'; + next if $file !~ m#^(?:usr/lib/apache2/modules/|etc/apache2/)#; + + + # Package installs an unrecognized file - check this for all files + if ($file !~ m#\.conf$# and $file =~ m#^(etc/apache2/(conf|site|mods)-available/(.*))$#) { + my $temp_path = $1; + my $temp_type = $2; + my $temp_file = $3; + # ... except modules which are allowed to ship .load files + tag 'apache2-configuration-files-need-conf-suffix', $temp_path + unless $temp_type eq 'mods' and $temp_file =~ m#\.load#; + } + + # Package appears to be a binary module + if ($file =~ m#^usr/lib/apache2/modules/(.*)\.so#) { + check_module_package ($pkg, $info, $1); + $seen_apache2_special_file++; + } + + # Package appears to be a web application + elsif ($file =~ m#^(etc/apache2/(conf|site)-available/(.*))$#) { + check_web_application_package ($pkg, $type, $info, $1, $2, $3); + $seen_apache2_special_file++; + } + + # Package appears to be a legacy web application + elsif ($file =~ m#^(etc/apache2/conf\.d/(.*))$#) { + tag "apache2-reverse-dependency-uses-obsolete-directory", $1; + check_web_application_package ($pkg, $type, $info, $1, 'conf', $2); + $seen_apache2_special_file++; + } + + # Package does scary things + elsif ($file =~ m#^(etc/apache2/(?:conf|sites|mods)-enabled/.*)$#) { + tag "apache2-reverse-dependency-ships-file-in-not-allowed-directory", $1; + $seen_apache2_special_file++; + } + + } + + if ($seen_apache2_special_file) { + check_maintainer_scripts ($info); + } + } +} + +sub check_web_application_package { + my ($pkg, $type, $info, $file, $pkgtype, $webapp) = @_; + + tag "non-standard-apache2-configuration-name", $webapp, " != ", "$pkg.conf" + if $webapp ne "$pkg.conf" or $webapp =~ m/^local-./; + + my $uncondep = 0; + my $datadep = 0; + + for my $type (qw/pre-depends depends recommends/) { + my $raw_dependency = $info->field ($type); + next unless $raw_dependency; + for my $dependency (split /\s*,\s*/, $raw_dependency) { + my $relation = $info->relation ($type); + # A web application must not depend on apache2-whatever + if ($dependency =~ m/\b(apache2(?:\.2)?-(?:common|data|bin))\b/) { + tag 'web-application-depends-on-apache2-data-package', $1 + unless $datadep++; + } + + # ... nor on apache2 only. Moreover, it should be in the form + # apache2 | httpd but don't worry about versions, virtual package + # don't support that + if ($relation->implies ('apache2')) { + tag 'web-application-should-not-depend-unconditionally-on-apache2', + unless $uncondep++; + } + } + } + + if (defined $info->index->{$file}) { + inspect_conf_file ($info, $pkgtype, $file); + } + +} + +sub check_module_package { + my ($pkg, $info, $module) = @_; + + # We want packages to be follow our naming scheme. Modules should be named + # libapache2-mod-<foo> if it ships a mod_foo.so + my $expected_name = 'libapache2-' . $module; + + # Package depends on apache2-api-YYYYMMDD + my $seen_api_dependency = 0; + + $expected_name =~ tr/_/-/; + if ( $expected_name ne $pkg ) { + tag 'non-standard-apache2-module-package-name', $pkg, " != ", $expected_name; + } + + for my $type (qw/pre-depends depends recommends/) { + my $raw_dependency = $info->field($type); + next unless $raw_dependency; + for my $dependency (split /\s*,\s*/, $raw_dependency) { + # no no no, do not depend on our real packages. A module must not + # depend on apache2-common or even worse apache2. + if ($dependency =~ m/\b(apache2(?:\.2)?-(?:common|data|bin))\b/) { + tag 'apache2-module-depends-on-real-apache2-package', $1; + } + # ... on the other hand, module packages must depend on + # apache2-api-YYYYMMDD + if (($type eq 'depends' or $type eq 'pre-depends') and $dependency =~ m/\bapache2-api-\d+\b/) { + $seen_api_dependency++; + } + } + } + + if (not $seen_api_dependency) { + tag 'apache2-module-does-not-depend-on-apache2-api'; + } + + # The module is called mod_foo.so, thus the load file is expected to be + # named foo.load + my $load_file = $module; + my $conf_file = $module; + $load_file =~ s#^mod.(.*)$#etc/apache2/mods-available/$1.load#; + $conf_file =~ s#^mod.(.*)$#etc/apache2/mods-available/$1.conf#; + + if (defined $info->index->{$load_file}) { + inspect_conf_file ($info, "mods", $load_file); + } else { + tag 'apache2-module-does-not-ship-load-file', $load_file; + } + + if (defined $info->index->{$conf_file}) { + inspect_conf_file ($info, "mods", $conf_file); + } + +} + + +sub check_maintainer_scripts { + my ($info) = @_; + + open my $fd, '<', 'control-scripts' or fail "cannot open lintian control-scripts file: $!"; + + while (<$fd>) + { + m/^(\S*) (.*)$/ or fail("bad line in control-scripts file: $_"); + my $interpreter = $1; + my $file = $2; + my $filename = $info->control ($file); + + # Don't follow links + next if -l $filename; + # Don't try to parse the file if it does not appear to be a shell script + next if $interpreter !~ m/sh\b/; + + open my $sfd, '<', $filename or fail "cannot open maintainer script $filename: $!"; + while (<$sfd>) { + # skip comments + next if substr ($_, 0, $-[0]) =~ /#/; + + # Do not allow reverse dependencies to call "a2enmod" and friends + # directly + if (m/\b(a2(?:en|dis)(?:conf|site|mod))\b/) { + tag 'apache2-reverse-dependency-calls-wrapper-script', $file, $1; + } + + # Do not allow reverse dependencies to call "invoke-rc.d apache2 + if (m/invoke-rc\.d\s+apache2/) { + tag 'apache2-reverse-dependency-calls-invoke-rc.d', $file; + } + + # XXX: Check whether apache2-maintscript-helper is used + # unconditionally e.g. not protected by a [ -e ], [ -x ] or so. + # That's going to be complicated. Or not possible without grammar + # parser. + } + close $sfd; + } + + close $fd; +} + + +sub inspect_conf_file { + my ($info, $conftype, $file) = @_; + + + my $filename = $info->unpacked ($file); + # Don't follow links + return if -l $filename; + open my $fd, '<', $filename or fail "cannot open configuration file $filename: $!"; + while (<$fd>) { + # only check until the first non-empty non-comment line. That follows + # the a2enmod reference implementation + last unless m/^\s*(?:#.*)?$/; + + if (m/^#\s*(Depends|Conflicts):\s+(.*?)\s*$/) { + tag 'apache2-unsupported-dependency', $file, $1 + if $1 eq 'Conflicts' and $conftype ne 'mods'; + my @dependencies = split( /[\n\s]+/, $2 ); + foreach my $dep (@dependencies) { + tag 'apache2-unparseable-dependency', $file, $dep + if $dep =~ m/\W/ or + $dep =~ /^mod\_/ or + $dep =~ m/\.(?:conf|load)/; + } + } + + } + close $fd; + +} + +1; + +# Local Variables: +# indent-tabs-mode: nil +# cperl-indent-level: 4 +# End: +# vim: syntax=perl sw=4 sts=4 sr et diff --git a/checks/apache2.desc b/checks/apache2.desc new file mode 100644 index 0000000..60ea8dc --- /dev/null +++ b/checks/apache2.desc @@ -0,0 +1,136 @@ +Check-Script: apache2 +Author: Arno Töll <deb...@toell.net> +Abbrev: apache2 +Type: binary +Info: Checks various build mistakes in Apache2 reverse dependencies +Needs-Info: index, scripts, unpacked + +Tag: non-standard-apache2-module-package-name +Severity: normal +Certainty: certain +Info: The package appears to be an Apache2 HTTPD server module but it isn't + following the module naming scheme. Apache2 HTTPD modules should be called + <tt>libapache2-mod-name</tt> with <tt>mod-name</tt> being the actual + <tt>mod_name.so</tt> equivalent. + + +Tag: apache2-module-depends-on-real-apache2-package +Severity: serious +Certainty: certain +Info: The package is an Apache2 HTTPD server module but it depends on a real + Apache2 package. Binary module packages must depend on the virtual + <tt>apache2-api-YYYYMMNN</tt> package only in order to ease transitions in + future. + . + In particular, module packages must not pull the full web server or any of its + associated data packages as a depdendency. That's left to the user. + + +Tag: apache2-module-does-not-depend-on-apache2-api +Severity: serious +Certainty: certain +Info: The package is an Apache2 HTTPD server module but does not declare a + strong binary relation against the Apache2 server binary it links against. Modules + must depend on the <tt>apache2-api-YYYYMMNN</tt> package provided as a virtual + package by <tt>apache2-bin</tt>. + +Tag: apache2-module-does-not-ship-load-file +Severity: serious +Certainty: certain +Info: The package is an Apache2 HTTPD server module but does not ship a + "<tt>.load</tt>" file or it was installed under an unexpected name. The load + files in "<tt>/etc/apache2/mods-available</tt>" are required to interact with + the server package to enable and disable the module and must match the module + name without "<tt>mod_</tt> prefix, e.g. <tt>mod_foo</tt> must ship a load file + named "<tt>foo.load</tt>". + +Tag: apache2-reverse-dependency-ships-file-in-not-allowed-directory +Severity: serious +Certainty: certain +Info: The package installs a piece of Apache2 configuration to + <tt>/etc/apache2/{sites,mods,conf}-enabled</tt>. This is not allowed. Instead + the respective <tt>/etc/apache2/{sites,mods,conf}-available</tt> counterparts + must be used. + + +Tag: non-standard-apache2-configuration-name +Severity: normal +Certainty: certain +Info: The package appears to be a web application which is installing a + configuration file for the Apache2 HTTPD server. To avoid name clashes, any file + installed to <tt>/etc/apache2/{sites,conf}-availabe</tt> should match the binary package + name and must not start with <tt>local-</tt>. + + +Tag: apache2-reverse-dependency-calls-wrapper-script +Severity: normal +Certainty: certain +Info: The package is calling an Apache2 configuration wrapper script (e.g. + <tt>a2enmod</tt>, <tt>a2enconf</tt>, <tt>a2enconf</tt>, ...). Maintainer + scripts should not be calling these scripts directly. To achieve a uniform and + consolidated behavior these scripts should be invoked indirectly by using + apache2-maintscript-helper. + + +Tag: web-application-depends-on-apache2-data-package +Severity: normal +Certainty: certain +Info: The package appears to be a web application but declares a package + relation with <tt>apache2-bin</tt>, <tt>apache2-data</tt> or any of its + transitional packages. However, web applications are rarely bound to a specific + web server version. Thus, they should depend on <tt>apache2</tt> only instead. + If a web application is actually tied to a particular binary version of the web + server a dependency against the virtual <tt>apache2-api-YYYYMMDD</tt> package + is more appropriate. + +Tag: web-application-should-not-depend-unconditionally-on-apache2 +Severity: normal +Certainty: certain +Info: The package appears to be a web application but declares a dependency + against <tt>apache2</tt> without any alternative. Most web applications should + work with any decent web server, thus such a package should be satisfied if any + web server providing the virtual "<tt>httpd</tt>" package is installed. This + can be accomplished by declaring a package relation in the form "<tt>apache2 | + httpd</tt>". + +Tag: apache2-reverse-dependency-calls-invoke-rc.d +Severity: normal +Certainty: certain +Info: The package is invoking apache2's init script in its maintainer script + albeit it shouldn't do so. Reverse dependencies installing apache2 + configuration pieces should not restart the web server uncondtionally in + maintainer scripts. Instead they should be using apache2-maintscript-helper + which correctly obeys local policies. + +Tag: apache2-reverse-dependency-uses-obsolete-directory +Severity: normal +Certainty: certain +Info: The package is installing a file into the obsolete + <tt>/etc/apache2/conf.d/</tt> directory. This file is not read by the Apache2 + 2.4 web server anymore. Instead <tt>/etc/apache2/conf-available/</tt> should be + used. + +Tag: apache2-configuration-files-need-conf-suffix +Severity: important +Certainty: certain +Info: The package is installing an Apache2 configuration but that file does not + end with a '<tt>.conf</tt>' suffix. Starting with Apache2 2.4 all configuration + files except module '<tt>.load</tt>' files need that suffix or are ignored otherwise. + + +Tag: apache2-unparseable-dependency +Severity: normal +Certainty: certain +Info: The package is declaring a module dependency within an Apache + configuration file which does not meet the requirements. Dependencies must be + declared without paths, leading "<tt>mod_</tt>" prefix and without file + extension. + +Tag: apache2-unsupported-dependency +Severity: normal +Certainty: certain +Info: The package is declaring a module dependency within an Apache + configuration file which is not supported there. Dependencies are supported in + module '<tt>.load</tt>' files, and web application '<tt>.conf</tt>' files, + conflicts in '<tt>.load</tt> files only. + diff --git a/t/tests/apache2-modules-general/debian/baz.load b/t/tests/apache2-modules-general/debian/baz.load new file mode 100644 index 0000000..cb28fab --- /dev/null +++ b/t/tests/apache2-modules-general/debian/baz.load @@ -0,0 +1 @@ +LoadModule baz_module /usr/lib/apache2/modules/mod_baz.so diff --git a/t/tests/apache2-modules-general/debian/debian/control.in b/t/tests/apache2-modules-general/debian/debian/control.in new file mode 100644 index 0000000..f3d2935 --- /dev/null +++ b/t/tests/apache2-modules-general/debian/debian/control.in @@ -0,0 +1,44 @@ +Source: {$srcpkg} +Section: web +Priority: extra +Maintainer: Big Kahuna <kah...@example.com> +Uploaders: {$author} +Standards-Version: {$standards_version} +Build-Depends: debhelper (>= 9) + +Package: libapache2-mod-foo +Architecture: {$architecture} +Depends: $\{shlibs:Depends\}, + $\{misc:Depends\}, + apache2-api-19700101 +Description: {$description} + This is a test package designed to exercise some feature or tag of + Lintian. It is part of the Lintian test suite and may do very odd + things. It should not be installed like a regular package. It may + be an empty package. + +Package: libapache2-modbaz +Architecture: {$architecture} +Depends: $\{shlibs:Depends\}, + $\{misc:Depends\}, + apache2.2-common, +Description: {$description} don't care + This is a test package designed to exercise some feature or tag of + Lintian. It is part of the Lintian test suite and may do very odd + things. It should not be installed like a regular package. It may + be an empty package. + . + To avoid duplicate description warnings this line differs. Ignore me. + +Package: libapache2-mod-foo2 +Architecture: {$architecture} +Depends: $\{shlibs:Depends\}, + $\{misc:Depends\}, + apache2-api-19700101, +Description: {$description} still don't care + This is a test package designed to exercise some feature or tag of + Lintian. It is part of the Lintian test suite and may do very odd + things. It should not be installed like a regular package. It may + be an empty package. + . + To avoid duplicate description warnings this line differs. Still ignore me. diff --git a/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo.dirs b/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo.dirs new file mode 100644 index 0000000..871a471 --- /dev/null +++ b/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo.dirs @@ -0,0 +1,2 @@ +etc/apache2/mods-available +usr/lib/apache2/modules diff --git a/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo.install b/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo.install new file mode 100644 index 0000000..ac8f7f1 --- /dev/null +++ b/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo.install @@ -0,0 +1,4 @@ +foo.load /etc/apache2/mods-available +foo /etc/apache2/mods-available +foo.conf /etc/apache2/mods-available +mod_foo.so /usr/lib/apache2/modules/ diff --git a/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.dirs b/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.dirs new file mode 100644 index 0000000..aec19ee --- /dev/null +++ b/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.dirs @@ -0,0 +1,2 @@ +etc/apache2/mods-enabled +usr/lib/apache2/modules diff --git a/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.install b/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.install new file mode 100644 index 0000000..8aab3d1 --- /dev/null +++ b/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.install @@ -0,0 +1,2 @@ +foo.conf /etc/apache2/mods-enabled +mod_foo2.so /usr/lib/apache2/modules/ diff --git a/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.postinst b/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.postinst new file mode 100644 index 0000000..8f6847d --- /dev/null +++ b/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.postinst @@ -0,0 +1,9 @@ +#! /bin/sh + +set -e + +if [ "$1" = 'configure' ] ; then + a2enmod -q foo2 +fi + +#DEBHELPER# diff --git a/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.postrm b/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.postrm new file mode 100644 index 0000000..a4c83a6 --- /dev/null +++ b/t/tests/apache2-modules-general/debian/debian/libapache2-mod-foo2.postrm @@ -0,0 +1,9 @@ +#! /bin/sh + +set -e + +if [ "$1" = 'remove' ] ; then + a2dismod -q foo2 +fi + +#DEBHELPER# diff --git a/t/tests/apache2-modules-general/debian/debian/libapache2-modbaz.dirs b/t/tests/apache2-modules-general/debian/debian/libapache2-modbaz.dirs new file mode 100644 index 0000000..871a471 --- /dev/null +++ b/t/tests/apache2-modules-general/debian/debian/libapache2-modbaz.dirs @@ -0,0 +1,2 @@ +etc/apache2/mods-available +usr/lib/apache2/modules diff --git a/t/tests/apache2-modules-general/debian/debian/libapache2-modbaz.install b/t/tests/apache2-modules-general/debian/debian/libapache2-modbaz.install new file mode 100644 index 0000000..5f2e1f9 --- /dev/null +++ b/t/tests/apache2-modules-general/debian/debian/libapache2-modbaz.install @@ -0,0 +1,2 @@ +baz.load /etc/apache2/mods-available +mod_baz.so /usr/lib/apache2/modules/ diff --git a/t/tests/apache2-modules-general/debian/foo b/t/tests/apache2-modules-general/debian/foo new file mode 100644 index 0000000..2cc691e --- /dev/null +++ b/t/tests/apache2-modules-general/debian/foo @@ -0,0 +1 @@ +<irrelevant> diff --git a/t/tests/apache2-modules-general/debian/foo.conf b/t/tests/apache2-modules-general/debian/foo.conf new file mode 100644 index 0000000..bcbc503 --- /dev/null +++ b/t/tests/apache2-modules-general/debian/foo.conf @@ -0,0 +1,5 @@ +# Depends: notsupportedhere + +<Conf> + WithDirectives +</Conf> diff --git a/t/tests/apache2-modules-general/debian/foo.load b/t/tests/apache2-modules-general/debian/foo.load new file mode 100644 index 0000000..7f1659f --- /dev/null +++ b/t/tests/apache2-modules-general/debian/foo.load @@ -0,0 +1,5 @@ +# Depends: baz +# Depends: baz baz2 mod_baz3 baz4.load +# Conflicts: baz baz2 + +LoadModule foo_module /usr/lib/apache2/modules/mod_foo.so diff --git a/t/tests/apache2-modules-general/debian/mod_baz.so b/t/tests/apache2-modules-general/debian/mod_baz.so new file mode 100644 index 0000000..e69de29 diff --git a/t/tests/apache2-modules-general/debian/mod_foo.so b/t/tests/apache2-modules-general/debian/mod_foo.so new file mode 100644 index 0000000..e69de29 diff --git a/t/tests/apache2-modules-general/debian/mod_foo2.so b/t/tests/apache2-modules-general/debian/mod_foo2.so new file mode 100644 index 0000000..e69de29 diff --git a/t/tests/apache2-modules-general/desc b/t/tests/apache2-modules-general/desc new file mode 100644 index 0000000..420a0e3 --- /dev/null +++ b/t/tests/apache2-modules-general/desc @@ -0,0 +1,13 @@ +Testname: apache2-modules-general +Sequence: 6000 +Version: 1.0 +Description: Several tests related to Apache2 module packages +Test-For: + apache2-module-depends-on-real-apache2-package + apache2-module-does-not-depend-on-apache2-api + non-standard-apache2-module-package-name + apache2-module-does-not-ship-load-file + apache2-reverse-dependency-ships-file-in-not-allowed-directory + apache2-reverse-dependency-calls-wrapper-script + apache2-configuration-files-need-conf-suffix + apache2-unparseable-dependency diff --git a/t/tests/apache2-modules-general/tags b/t/tests/apache2-modules-general/tags new file mode 100644 index 0000000..4dd3da0 --- /dev/null +++ b/t/tests/apache2-modules-general/tags @@ -0,0 +1,10 @@ +E: libapache2-mod-foo2: apache2-module-does-not-ship-load-file etc/apache2/mods-available/foo2.load +E: libapache2-mod-foo2: apache2-reverse-dependency-ships-file-in-not-allowed-directory etc/apache2/mods-enabled/foo.conf +E: libapache2-mod-foo: apache2-configuration-files-need-conf-suffix etc/apache2/mods-available/foo +E: libapache2-modbaz: apache2-module-depends-on-real-apache2-package apache2.2-common +E: libapache2-modbaz: apache2-module-does-not-depend-on-apache2-api +W: libapache2-mod-foo2: apache2-reverse-dependency-calls-wrapper-script postinst a2enmod +W: libapache2-mod-foo2: apache2-reverse-dependency-calls-wrapper-script postrm a2dismod +W: libapache2-mod-foo: apache2-unparseable-dependency etc/apache2/mods-available/foo.load baz4.load +W: libapache2-mod-foo: apache2-unparseable-dependency etc/apache2/mods-available/foo.load mod_baz3 +W: libapache2-modbaz: non-standard-apache2-module-package-name libapache2-modbaz != libapache2-mod-baz diff --git a/t/tests/apache2-webapplications-general/debian/debian/control.in b/t/tests/apache2-webapplications-general/debian/debian/control.in new file mode 100644 index 0000000..0b5ffd8 --- /dev/null +++ b/t/tests/apache2-webapplications-general/debian/debian/control.in @@ -0,0 +1,47 @@ +Source: {$srcpkg} +Section: web +Priority: extra +Maintainer: Big Kahuna <kah...@example.com> +Uploaders: {$author} +Standards-Version: {$standards_version} +Build-Depends: debhelper (>= 9) + +Package: phpmyfoo +Architecture: {$architecture} +Depends: $\{shlibs:Depends\}, + $\{misc:Depends\}, + apache2, + apache2-bin +Description: {$description} + This is a test package designed to exercise some feature or tag of + Lintian. It is part of the Lintian test suite and may do very odd + things. It should not be installed like a regular package. It may + be an empty package. + +Package: phpmyfoo2 +Architecture: {$architecture} +Depends: $\{shlibs:Depends\}, + $\{misc:Depends\}, + apache2 | httpd +Description: {$description} - ignore me + This is a test package designed to exercise some feature or tag of + Lintian. It is part of the Lintian test suite and may do very odd + things. It should not be installed like a regular package. It may + be an empty package. + . + Ignore me. + +Package: phpmyfoo3 +Architecture: {$architecture} +Depends: $\{shlibs:Depends\}, + $\{misc:Depends\}, + apache2 | lighttpd | httpd +Description: {$description} - another ignore me + This is a test package designed to exercise some feature or tag of + Lintian. It is part of the Lintian test suite and may do very odd + things. It should not be installed like a regular package. It may + be an empty package. + . + Yet another ignore me. + + diff --git a/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.dirs b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.dirs new file mode 100644 index 0000000..31e10a9 --- /dev/null +++ b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.dirs @@ -0,0 +1 @@ +etc/apache2/conf-available diff --git a/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.install b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.install new file mode 100644 index 0000000..2789400 --- /dev/null +++ b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.install @@ -0,0 +1 @@ +phpmyfoo.conf /etc/apache2/conf-available diff --git a/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.postinst b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.postinst new file mode 100644 index 0000000..c4a1988 --- /dev/null +++ b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.postinst @@ -0,0 +1,11 @@ +#! /bin/sh + +set -e + +if [ "$1" = 'configure' ] ; then + a2enconf -q phpmyfoo +fi + +invoke-rc.d apache2 reload + +#DEBHELPER# diff --git a/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.postrm b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.postrm new file mode 100644 index 0000000..2fffaab --- /dev/null +++ b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo.postrm @@ -0,0 +1,8 @@ +if [ "$1" = 'configure' ] ; then + a2disconf -q phpmyfoo +fi + +invoke-rc.d apache2 reload + +#DEBHELPER# + diff --git a/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo2.dirs b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo2.dirs new file mode 100644 index 0000000..31e10a9 --- /dev/null +++ b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo2.dirs @@ -0,0 +1 @@ +etc/apache2/conf-available diff --git a/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo2.install b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo2.install new file mode 100644 index 0000000..d47d625 --- /dev/null +++ b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo2.install @@ -0,0 +1,2 @@ +phpmyfoo2 /etc/apache2/conf-available +local-phpmyfoo2.conf /etc/apache2/conf-available diff --git a/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo3.dirs b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo3.dirs new file mode 100644 index 0000000..e9286b0 --- /dev/null +++ b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo3.dirs @@ -0,0 +1 @@ +etc/apache2/conf.d/ diff --git a/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo3.install b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo3.install new file mode 100644 index 0000000..30fb624 --- /dev/null +++ b/t/tests/apache2-webapplications-general/debian/debian/phpmyfoo3.install @@ -0,0 +1 @@ +phpmyfoo.conf /etc/apache2/conf.d/ diff --git a/t/tests/apache2-webapplications-general/debian/local-phpmyfoo2.conf b/t/tests/apache2-webapplications-general/debian/local-phpmyfoo2.conf new file mode 100644 index 0000000..2cc691e --- /dev/null +++ b/t/tests/apache2-webapplications-general/debian/local-phpmyfoo2.conf @@ -0,0 +1 @@ +<irrelevant> diff --git a/t/tests/apache2-webapplications-general/debian/phpmyfoo.conf b/t/tests/apache2-webapplications-general/debian/phpmyfoo.conf new file mode 100644 index 0000000..783c00a --- /dev/null +++ b/t/tests/apache2-webapplications-general/debian/phpmyfoo.conf @@ -0,0 +1,8 @@ +# Depends: bar bar2.conf +# Conflicts: notsupportedhere + +Alias /foo /usr/share/foo + +<Directory /usr/share/foo> + WebAppConf +</Directory> diff --git a/t/tests/apache2-webapplications-general/debian/phpmyfoo2 b/t/tests/apache2-webapplications-general/debian/phpmyfoo2 new file mode 100644 index 0000000..2cc691e --- /dev/null +++ b/t/tests/apache2-webapplications-general/debian/phpmyfoo2 @@ -0,0 +1 @@ +<irrelevant> diff --git a/t/tests/apache2-webapplications-general/desc b/t/tests/apache2-webapplications-general/desc new file mode 100644 index 0000000..cd17788 --- /dev/null +++ b/t/tests/apache2-webapplications-general/desc @@ -0,0 +1,14 @@ +Testname: apache2-webapplications-general +Sequence: 6000 +Version: 1.0 +Description: Several tests related to Apache2 web application packages +Test-For: + non-standard-apache2-configuration-name + apache2-reverse-dependency-calls-invoke-rc.d + apache2-reverse-dependency-calls-wrapper-script + web-application-depends-on-apache2-data-package + web-application-should-not-depend-unconditionally-on-apache2 + apache2-reverse-dependency-uses-obsolete-directory + apache2-configuration-files-need-conf-suffix + apache2-unsupported-dependency + apache2-unparseable-dependency diff --git a/t/tests/apache2-webapplications-general/tags b/t/tests/apache2-webapplications-general/tags new file mode 100644 index 0000000..86f71fb --- /dev/null +++ b/t/tests/apache2-webapplications-general/tags @@ -0,0 +1,13 @@ +E: phpmyfoo2: apache2-configuration-files-need-conf-suffix etc/apache2/conf-available/phpmyfoo2 +W: phpmyfoo2: non-standard-apache2-configuration-name local-phpmyfoo2.conf != phpmyfoo2.conf +W: phpmyfoo2: non-standard-apache2-configuration-name phpmyfoo2 != phpmyfoo2.conf +W: phpmyfoo3: apache2-reverse-dependency-uses-obsolete-directory etc/apache2/conf.d/phpmyfoo.conf +W: phpmyfoo3: apache2-unparseable-dependency etc/apache2/conf.d/phpmyfoo.conf bar2.conf +W: phpmyfoo3: apache2-unsupported-dependency etc/apache2/conf.d/phpmyfoo.conf Conflicts +W: phpmyfoo3: non-standard-apache2-configuration-name phpmyfoo.conf != phpmyfoo3.conf +W: phpmyfoo: apache2-reverse-dependency-calls-invoke-rc.d postinst +W: phpmyfoo: apache2-reverse-dependency-calls-wrapper-script postinst a2enconf +W: phpmyfoo: apache2-unparseable-dependency etc/apache2/conf-available/phpmyfoo.conf bar2.conf +W: phpmyfoo: apache2-unsupported-dependency etc/apache2/conf-available/phpmyfoo.conf Conflicts +W: phpmyfoo: web-application-depends-on-apache2-data-package apache2-bin +W: phpmyfoo: web-application-should-not-depend-unconditionally-on-apache2 -- 1.7.9.1
From 7d925c497d9f58e43caca1e8907f9b5f1142995e Mon Sep 17 00:00:00 2001 From: Stefan Fritsch <s...@sfritsch.de> Date: Sun, 8 Apr 2012 19:55:54 +0200 Subject: [PATCH 2/3] Add description for deprecated configiguration options --- checks/apache2.desc | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/checks/apache2.desc b/checks/apache2.desc index 60ea8dc..2112d62 100644 --- a/checks/apache2.desc +++ b/checks/apache2.desc @@ -134,3 +134,13 @@ Info: The package is declaring a module dependency within an Apache module '<tt>.load</tt>' files, and web application '<tt>.conf</tt>' files, conflicts in '<tt>.load</tt> files only. +Tag: apache2-deprecated-auth-config +Severity: normal +Certainty: certain +Info: The package is using some of the deprecated auth configuration + directives Order, Satisfy, Allow, Deny, <Limit>, or <LimitExcept>. + These do not integrate well with the new authorization scheme of Apache + 2.4 and, in the case of <Limit> and <LimitExcept>, have confusing + semantics. The configuration directives should be replaced with a suitable + combination of <RequireAll>, <RequireAny>, Require all, Require local, + Require ip, and Require method. -- 1.7.9.1
From 7fe22a9fecb53e6867f3ee8208de9b13a1d63681 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arno=20T=C3=B6ll?= <deb...@toell.net>
Date: Mon, 9 Apr 2012 22:54:23 +0200
Subject: [PATCH 3/3] * Implement apache2-deprecated-auth-config tag * add a
test case for apache2-deprecated-auth-config * Use the
new Lintian::Relation system to parse dependencies
---
checks/apache2 | 39 +++++++-------------
checks/apache2.desc | 9 +++--
.../debian/phpmyfoo.conf | 5 +++
t/tests/apache2-webapplications-general/desc | 1 +
t/tests/apache2-webapplications-general/tags | 6 +++
5 files changed, 31 insertions(+), 29 deletions(-)
diff --git a/checks/apache2 b/checks/apache2
index 3cc94ed..a1a989a 100644
--- a/checks/apache2
+++ b/checks/apache2
@@ -26,8 +26,8 @@ use warnings;
use File::Basename;
use Lintian::Collect::Binary ();
use Lintian::Tags qw(tag);
-use Lintian::Relation ();
-use Util;
+use Lintian::Relation qw(:constants);
+use Lintian::Util;
sub run {
my $pkg = shift;
@@ -138,32 +138,18 @@ sub check_module_package {
# libapache2-mod-<foo> if it ships a mod_foo.so
my $expected_name = 'libapache2-' . $module;
- # Package depends on apache2-api-YYYYMMDD
- my $seen_api_dependency = 0;
-
$expected_name =~ tr/_/-/;
if ( $expected_name ne $pkg ) {
tag 'non-standard-apache2-module-package-name', $pkg, " != ", $expected_name;
}
- for my $type (qw/pre-depends depends recommends/) {
- my $raw_dependency = $info->field($type);
- next unless $raw_dependency;
- for my $dependency (split /\s*,\s*/, $raw_dependency) {
- # no no no, do not depend on our real packages. A module must not
- # depend on apache2-common or even worse apache2.
- if ($dependency =~ m/\b(apache2(?:\.2)?-(?:common|data|bin))\b/) {
- tag 'apache2-module-depends-on-real-apache2-package', $1;
- }
- # ... on the other hand, module packages must depend on
- # apache2-api-YYYYMMDD
- if (($type eq 'depends' or $type eq 'pre-depends') and $dependency =~ m/\bapache2-api-\d+\b/) {
- $seen_api_dependency++;
- }
- }
+ my $strong = $info->relation ('strong');
+ my $wrec = Lintian::Relation->and ($strong, $info->relation ('recommends'));
+ my $package_name = $wrec->visit( sub { return $_ if m/^(apache2(?:\.2)?-(?:common|data|bin))$/; return undef; }, VISIT_STOP_FIRST_MATCH );
+ if ($package_name) {
+ tag 'apache2-module-depends-on-real-apache2-package', $package_name;
}
-
- if (not $seen_api_dependency) {
+ if (! $strong->matches (qr/^apache2-api-\d+$/, VISIT_OR_CLAUSE_FULL )) {
tag 'apache2-module-does-not-depend-on-apache2-api';
}
@@ -241,9 +227,12 @@ sub inspect_conf_file {
return if -l $filename;
open my $fd, '<', $filename or fail "cannot open configuration file $filename: $!";
while (<$fd>) {
- # only check until the first non-empty non-comment line. That follows
- # the a2enmod reference implementation
- last unless m/^\s*(?:#.*)?$/;
+
+ for my $directive ('Order', 'Satisfy', 'Allow', 'Deny', '<(|/)Limit.*?>', '<(|/)LimitExcept.*?>') {
+ if (m/($directive)/) {
+ tag 'apache2-deprecated-auth-config', $1;
+ }
+ }
if (m/^#\s*(Depends|Conflicts):\s+(.*?)\s*$/) {
tag 'apache2-unsupported-dependency', $file, $1
diff --git a/checks/apache2.desc b/checks/apache2.desc
index 2112d62..d917576 100644
--- a/checks/apache2.desc
+++ b/checks/apache2.desc
@@ -137,10 +137,11 @@ Info: The package is declaring a module dependency within an Apache
Tag: apache2-deprecated-auth-config
Severity: normal
Certainty: certain
-Info: The package is using some of the deprecated auth configuration
- directives Order, Satisfy, Allow, Deny, <Limit>, or <LimitExcept>.
+Info: The package is using some of the deprecated authentication configuration
+ directives Order, Satisfy, Allow, Deny, <Limit> or <LimitExcept>
+ .
These do not integrate well with the new authorization scheme of Apache
- 2.4 and, in the case of <Limit> and <LimitExcept>, have confusing
+ 2.4 and, in the case of <Limit> and <LimitExcept> have confusing
semantics. The configuration directives should be replaced with a suitable
- combination of <RequireAll>, <RequireAny>, Require all, Require local,
+ combination of <RequireAll>, <RequireAny>, Require all, Require local,
Require ip, and Require method.
diff --git a/t/tests/apache2-webapplications-general/debian/phpmyfoo.conf b/t/tests/apache2-webapplications-general/debian/phpmyfoo.conf
index 783c00a..32e42f2 100644
--- a/t/tests/apache2-webapplications-general/debian/phpmyfoo.conf
+++ b/t/tests/apache2-webapplications-general/debian/phpmyfoo.conf
@@ -5,4 +5,9 @@ Alias /foo /usr/share/foo
<Directory /usr/share/foo>
WebAppConf
+ <Limit POST PUT DELETE>
+ Order deny, allow
+ Require valid-user
+ </Limit>
</Directory>
+
diff --git a/t/tests/apache2-webapplications-general/desc b/t/tests/apache2-webapplications-general/desc
index cd17788..0ba9ba0 100644
--- a/t/tests/apache2-webapplications-general/desc
+++ b/t/tests/apache2-webapplications-general/desc
@@ -12,3 +12,4 @@ Test-For:
apache2-configuration-files-need-conf-suffix
apache2-unsupported-dependency
apache2-unparseable-dependency
+ apache2-deprecated-auth-config
diff --git a/t/tests/apache2-webapplications-general/tags b/t/tests/apache2-webapplications-general/tags
index 86f71fb..3f52402 100644
--- a/t/tests/apache2-webapplications-general/tags
+++ b/t/tests/apache2-webapplications-general/tags
@@ -1,10 +1,16 @@
E: phpmyfoo2: apache2-configuration-files-need-conf-suffix etc/apache2/conf-available/phpmyfoo2
W: phpmyfoo2: non-standard-apache2-configuration-name local-phpmyfoo2.conf != phpmyfoo2.conf
W: phpmyfoo2: non-standard-apache2-configuration-name phpmyfoo2 != phpmyfoo2.conf
+W: phpmyfoo3: apache2-deprecated-auth-config </Limit>
+W: phpmyfoo3: apache2-deprecated-auth-config <Limit POST PUT DELETE>
+W: phpmyfoo3: apache2-deprecated-auth-config Order
W: phpmyfoo3: apache2-reverse-dependency-uses-obsolete-directory etc/apache2/conf.d/phpmyfoo.conf
W: phpmyfoo3: apache2-unparseable-dependency etc/apache2/conf.d/phpmyfoo.conf bar2.conf
W: phpmyfoo3: apache2-unsupported-dependency etc/apache2/conf.d/phpmyfoo.conf Conflicts
W: phpmyfoo3: non-standard-apache2-configuration-name phpmyfoo.conf != phpmyfoo3.conf
+W: phpmyfoo: apache2-deprecated-auth-config </Limit>
+W: phpmyfoo: apache2-deprecated-auth-config <Limit POST PUT DELETE>
+W: phpmyfoo: apache2-deprecated-auth-config Order
W: phpmyfoo: apache2-reverse-dependency-calls-invoke-rc.d postinst
W: phpmyfoo: apache2-reverse-dependency-calls-wrapper-script postinst a2enconf
W: phpmyfoo: apache2-unparseable-dependency etc/apache2/conf-available/phpmyfoo.conf bar2.conf
--
1.7.9.1
signature.asc
Description: OpenPGP digital signature
