recursive-include examples *
recursive-include po *
recursive-include src *.c *.h
+recursive-include tools *
# Macro to define and start the quality agent.
# Long term goal is to improve the commited code.
-MACRO_QUALITY_AGENT = quality-agent
+MACRO_QUALITY_AGENT = /usr/lib/pakfire/quality-agent
# Macro to strip debugging symbols.
MACRO_STRIP = /usr/lib/buildsystem-tools/stripper %{BUILDROOT}
from __version__ import PAKFIRE_VERSION
-PAKFIRE_LEAST_COMPATIBLE_VERSION = "0.9.5"
+PAKFIRE_LEAST_COMPATIBLE_VERSION = PAKFIRE_VERSION
SYSCONFDIR = "/etc"
BUILD_PACKAGES = [
"@Build",
"/bin/bash",
- "build-essentials>=2:1.0-1.ip3",
"gcc",
"glibc-devel",
- "shadow-utils>=4.1.4.3",
"pakfire-build>=%s" % PAKFIRE_LEAST_COMPATIBLE_VERSION,
]
SHELL_PACKAGES = ["elinks", "less", "vim",]
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2011-08-28 14:33+0200\n"
+"POT-Creation-Date: 2011-08-28 18:13+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
],
data_files = [
("lib/pakfire/macros", [os.path.join("macros", f) for f in os.listdir("macros") if f.endswith(".macro")]),
+ ("lib/pakfire", ["tools/quality-agent/quality-agent",]),
+ ("lib/quality-agent", [os.path.join("tools/quality-agent/quality-agent.d", f) \
+ for f in os.listdir("tools/quality-agent/quality-agent.d")]),
],
ext_modules = [
Extension("pakfire._pakfire", _pakfire_module_files,
--- /dev/null
+#!/bin/bash
+
+DIR_QA=/usr/lib/quality-agent
+
+failed=0
+for file in ${DIR_QA}/*; do
+ [ -x "${file}" ] || continue
+
+ ${file} || failed=1
+done
+
+exit ${failed}
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Include files have to belong to the root user. \
+ This script will fix this automatically."
+
+check() {
+ if [ ! -d "${BUILDROOT}/usr/include" ]; then
+ return 0
+ fi
+
+ chown -R root:root ${BUILDROOT}/usr/include
+}
+
+run
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Remove documentation files."
+
+function check() {
+ for dir in ${BUILDROOT}/usr/{,share}/{doc,gtk-doc,info}; do
+ if [ -d "${dir}" ]; then
+ log DEBUG " Removing: ${dir}"
+ rm -rf ${dir} || exit $?
+ fi
+ done
+}
+
+run
+
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Removing unwanted files: *.a *.la"
+
+function check() {
+ for file in $(find ${BUILDROOT} -name "*.a" -or -name "*.la"); do
+
+ # Don't remove libc_nonshared.a. It is used by gcc/ld.
+ [ "${file##*/}" = "libc_nonshared.a" ] && continue
+ [ "${file##*/}" = "libpthread_nonshared.a" ] && continue
+ [ "${file##*/}" = "libgcc.a" ] && continue
+ [ "${file##*/}" = "libgcc_eh.a" ] && continue
+ [ "${file##*/}" = "libfl_pic.a" ] && continue
+ [ "${file##*/}" = "libpython2.6.a" ] && continue
+
+ log DEBUG " Removing: ${file}"
+ rm -f ${file} || exit $?
+ done
+}
+
+run
+
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Searching for world-writeable files..."
+
+function check() {
+ local ret=0
+
+ local files=$(find ${BUILDROOT} -type f -perm -2 2>/dev/null)
+ if [ -n "${files}" ]; then
+ log ERROR " QA Security Notice:"
+ log ERROR " - The folloing files will be world writable."
+ log ERROR " - This may or may not be a security problem, most of the time it is one."
+ log ERROR " - Please double check that these files really need a world writeable bit and file bugs accordingly."
+ log ERROR
+ log ERROR "${files}"
+ ret=1
+ fi
+
+ files=$(find ${BUILDROOT} -type f '(' -perm -2002 -o -perm -4002 ')')
+ if [ -n "${files}" ]; then
+ log ERROR " QA Notice: Unsafe files detected (set*id and world writable)"
+ log ERROR
+ log ERROR "${files}"
+ ret=1
+ fi
+
+ return ${ret}
+}
+
+run
+
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+# Check for absolute symlinks.
+# We do not allow them because they may point to any bad location.
+
+log_debug "Search for absolute symlinks"
+
+function check() {
+ local failed=0
+ local item
+
+ for link in $(find ${BUILDROOT} -type l); do
+ if fgrep -q "/lib/udev/devices" <<<${link}; then
+ continue
+ fi
+
+ if listmatch "${link:${#BUILDROOT}}" ${QUALITY_AGENT_WHITELIST_SYMLINK}; then
+ log INFO "Symlink ${link} is on the whitelist."
+ continue
+ fi
+
+ destination=$(readlink ${link})
+ if [ "${destination:0:1}" = "/" ]; then
+ log ERROR " Absolute symlink: ${link}"
+ failed=1
+ fi
+ if [ ! -e "${link%/*}/${destination}" ]; then
+ log ERROR " Not existant destination: ${link} -> ${destination}"
+ failed=1
+ fi
+ done
+
+ return ${failed}
+}
+
+run
+
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Checking correct installation of libraries"
+
+function check() {
+ local failed=0
+ for lib in $(find ${BUILDROOT}/lib -type f -name "lib*.so.*" 2>/dev/null); do
+ lib=${lib##*/}
+ lib=${lib%%.so*}
+
+ if [ ! -e "${BUILDROOT}/usr/lib/${lib}.so" ]; then
+ log ERROR " /usr/lib/${lib}.so is missing"
+ failed=1
+ fi
+ done
+
+ return ${failed}
+}
+
+run
+
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Every binary file has to provide a canary."
+
+function check() {
+ local failed=0
+
+ local file
+ for file in $(find_elf_files --prefix=${BUILDROOT} ${BINARY_PATHS}); do
+ if filter_startfiles ${file}; then
+ continue
+ fi
+
+ if ! file_has_canary ${file}; then
+ log_warning " Has no canary: ${file}"
+ failed=1
+ fi
+ done
+
+ # This is currently disabled and will only return a warning !
+ failed=0
+
+ return ${failed}
+}
+
+run
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Files with executable stacks will not work properly (or at all!) \
+ on some architectures/operating systems."
+
+check() {
+ local failed=0
+
+ local file
+ for file in $(find_elf_files --prefix=${BUILDROOT} ${BINARY_PATHS}); do
+ if file_has_execstack ${file}; then
+ log_error " File has execstack: ${file}"
+ failed=1
+ fi
+ done
+
+ return ${failed}
+}
+
+run
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Detect invalid interpreters."
+
+check() {
+ local failed=0
+
+ local file
+ local interpreter
+ for file in $(find ${BUILDROOT} -type f 2>/dev/null); do
+ # If a file is not executeable we don't need to check it
+ [ -x "${file}" ] || continue
+
+ if file_is_script ${file}; then
+ interpreter=$(file_get_interpreter ${file})
+
+ if grep -q /usr/local <<<${interpreter}; then
+ failed=1
+ log_error " Interpreter in /usr/local: ${file}"
+ fi
+
+ # Search for bad /usr/bin/env
+ if [ "$(basename ${interpreter})" = "env" ]; then
+ # Autofix that crap
+ sed -i ${file} \
+ -e "s,/usr/bin/env python.\..,/usr/bin/python," \
+ -e "s,/usr/bin/env python,/usr/bin/python," \
+ -e "s,/usr/bin/env perl,/usr/bin/perl,"
+
+ # If we could not fix it, raise an error
+ if [ "${interpreter}" = "$(file_get_interpreter ${file})" ]; then
+ failed=1
+ log_error " Script uses forbidden \"env\" interpreter: ${file}"
+ fi
+ fi
+ fi
+ done
+
+ return ${failed}
+}
+
+run
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Every shared object has to provide the NEEDED entry."
+
+check() {
+ local failed=0
+
+ local file
+ local needed
+ for file in $(find_elf_files --prefix=${BUILDROOT} ${LIBARY_PATHS}); do
+ if ! file_is_shared_object ${file}; then
+ continue
+ fi
+
+ if ! file_has_interpreter ${file}; then
+ continue
+ fi
+
+ needed=$(file_get_needed ${file})
+ if [ -z "${needed}" ]; then
+ log_error " File lacks needed attribute: ${file}"
+ failed=1
+ fi
+ done
+
+ return ${failed}
+}
+
+run
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Every shared object has to provide the SONAME entry."
+
+check() {
+ local failed=0
+
+ local file
+ local soname
+ for file in $(find_elf_files --prefix=${BUILDROOT} ${LIBARY_PATHS}); do
+ if ! grep -q "\.so" <<<${file}; then
+ continue
+ fi
+
+ if ! file_is_shared_object ${file}; then
+ continue
+ fi
+
+ if ! file_has_interpreter ${file}; then
+ continue
+ fi
+
+ soname=$(file_get_soname ${file})
+ if [ -z "${soname}" ]; then
+ log_error " File lacks soname attribute: ${file}"
+ failed=1
+ fi
+ done
+
+ return ${failed}
+}
+
+run
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+function check() {
+ local failed=0
+
+ FILTER="${QUALITY_AGENT_WHITELIST_NX}"
+
+ local file
+ for file in $(find_elf_files --prefix=${BUILDROOT} ${BINARY_PATHS}); do
+ if filtered ${file}; then
+ continue
+ fi
+
+ if ! file_has_nx ${file}; then
+ log_error " No NX: ${file}"
+ failed=1
+ fi
+ done
+
+ return ${failed}
+}
+
+run
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Text relocations force the dynamic linker to perform extra \
+ work at startup, waste system resources, and may pose a security \
+ risk. On some architectures, the code may not even function \
+ properly, if at all."
+
+function check() {
+ local failed=0
+
+ local file
+ for file in $(find_elf_files --prefix=${BUILDROOT} ${BINARY_PATHS}); do
+ if filter_startfiles ${file}; then
+ continue
+ fi
+
+ # Skip all files that are not a shared object.
+ file_is_shared_object ${file} || continue
+
+ if ! file_is_relro_full ${file}; then
+ if [ "${QUALITY_AGENT_PERMIT_NOT_FULL_RELRO}" = "yes" ]; then
+ log_warning " Is not full relro: ${file}"
+ else
+ log_error " Is not relro: ${file}"
+ failed=1
+ fi
+ fi
+ done
+
+ return ${failed}
+}
+
+run
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Check for binaries in /bin or /sbin that link to /usr/..."
+
+function check() {
+ local ret=0
+
+ for file in $(find ${BUILDROOT}/{bin,lib,sbin}/* 2>/dev/null); do
+ [ -f "${file}" ] || continue
+ log DEBUG " ${file}"
+
+ interpreter=$(file_get_interpreter ${file})
+ if [ ! -e "${interpreter}" ]; then
+ log WARN " SKIPPED because interpreter is not available"
+ continue
+ fi
+
+ libs=$(ldd ${file})
+ if grep -q /usr/lib <<<${libs}; then
+ log ERROR "${file} links to libs in /usr/lib..."
+ log ERROR " ${libs}"
+ ret=1
+ fi
+ done
+
+ return ${ret}
+}
+
+run
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Searching for RPATHs. We don't want paths that point to the tree where \
+ the package was built (older, broken libtools would do this). \
+ Also check for null paths because the loader will search \$PWD when it \
+ finds null paths."
+
+check() {
+ local failed=0
+
+ local file
+ local rpath
+ for file in $(find_elf_files --prefix=${BUILDROOT} ${BINARY_PATHS}); do
+ if filtered ${file}; then
+ continue
+ fi
+
+ rpath=$(file_get_rpath ${file})
+ if [ -n "${rpath}" ]; then
+ if [ "${QUALITY_AGENT_RPATH_ALLOW_ORIGIN}" = "yes" ]; then
+ [ "${rpath}" = '$ORIGIN' ] && continue
+ fi
+ if listmatch ${rpath} ${QUALITY_AGENT_WHITELIST_RPATH}; then
+ continue
+ fi
+ log_error " File has unallowed rpath: ${file} - ${rpath}"
+ failed=1
+ fi
+ done
+
+ return ${failed}
+}
+
+run
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Decompressing man-pages..."
+
+function check() {
+ for file in $(find ${BUILDROOT}/usr/share/man -type f 2>/dev/null); do
+ log DEBUG " Processing: ${file}"
+ if [[ ${file} =~ \.gz$ ]]; then
+ gzip -d ${file}
+ fi
+ done
+}
+
+run
+
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Python byte-code files could be hardlinked if the optimized one is equal"
+DESC="${DESC} to the other one."
+
+function check() {
+ for py in $(find ${BUILDROOT} -type f -name "*.py"); do
+ if [ -e "${py}c" ] && [ -e "${py}o" ]; then
+ if cmp -s "${py}c" "${py}o"; then
+ log DEBUG " ${py}c -> ${py}o"
+ ln -f "${py}c" "${py}o"
+ fi
+ fi
+ done
+}
+
+run
+
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="Remove unwanted files."
+
+function check() {
+ for dir in $(sort_by_length {,/usr}/{{,s}bin,lib{,exec}} /usr/share/man{,/man{0,1,2,3,4,5,6,7,8,9}}); do
+ dir="${BUILDROOT}/${dir}"
+ if [ -d "${dir}" ] && [ "$(ls -1A ${dir} | wc -l)" = "0" ]; then
+ log DEBUG " Removing ${dir}"
+ rm -rf ${dir}
+ fi
+ done
+}
+
+run
+
--- /dev/null
+#!/bin/bash
+
+. $(dirname ${0})/qa-include
+
+DESC="The filelayout should comply to the FHS."
+
+DIRS="/etc/init.d /etc/rc.d /lib/pkgconfig /usr/etc /usr/libexec /usr/local /usr/man /usr/usr /usr/var"
+
+function check() {
+ # Do nothing, if directory check was disabled.
+ if [ "${QUALITY_AGENT_NO_DIRECTORY_CHECK}" = "yes" ]; then
+ return 0
+ fi
+
+ local failed=0
+
+ local dir
+ for dir in ${DIRS}; do
+ if [ -d "${BUILDROOT}${dir}" ]; then
+ log_error "Bad directory: ${dir}"
+ failed=1
+ fi
+ done
+
+ return ${failed}
+}
+
+run
--- /dev/null
+#!/bin/bash
+
+# Include additional functions
+. /usr/lib/buildsystem-tools/common-functions
+
+function debug() {
+ [ "${NAOKI_DEBUG}" = "1" ] || [ "${DEBUG}" = "1" ]
+}
+
+#function log() {
+# local facility=${1}
+# shift
+#
+# printf " %-7s %s\n" "${facility}" "$@"
+#}
+
+function log_debug() {
+ debug && log DEBUG "$@"
+}
+
+function log_error() {
+ log "ERROR" "$@"
+}
+
+function log_info() {
+ log "INFO" "$@"
+}
+
+function log_warning() {
+ log "WARNING" "$@"
+}
+
+if [ -z "${BUILDROOT}" ]; then
+ echo "${0##*/}: ERROR: BUILDROOT is not set." >&2
+ exit 1
+fi
+
+function filtered() {
+ [ -z "${FILTER}" ] && return 1
+ grep -qE ${FILTER} <<<$@
+}
+
+function print_description() {
+ # Remove all whitespaces
+ local desc=$(echo ${DESC})
+
+ log_info "Check: $(basename ${0})"
+ IFS='
+'
+ for line in $(fold -s -w 60 <<<${desc}); do
+ log_info " ${line}"
+ done
+ log_info # Empty line
+
+ unset IFS
+}
+
+function qa_find() {
+ local filetype=${1}
+ local command=${2}
+
+ log_debug "Running qa_find with command ${command} in ${filetype}"
+
+ local file
+ for file in $(find_elf_files --prefix=${BUILDROOT} ${!filetype}); do
+ ${command} ${file}
+ done
+}
+
+function check() {
+ log_error "REPLACE THIS FUNCTION BY A CUSTOM CHECK"
+ return 1
+}
+
+function run() {
+ local error_message
+ local ret
+
+ error_message=$(check)
+ ret=$?
+
+ [ -z "${error_message}" ] && \
+ [ "${ret}" = "0" ] && return 0
+
+ print_description
+
+ echo "${error_message}"
+ return ${ret}
+}
+