diff --git a/fedora.toml b/fedora.toml new file mode 100644 index 0000000000000000000000000000000000000000..6245e37234c941370f89e17757b69c7c36cdca44 --- /dev/null +++ b/fedora.toml @@ -0,0 +1,362 @@ +# Fedora's configuration for the rpmlint utility. + +# When checking that various files that should be compressed are +# indeed compressed, look for this filename extension +CompressExtension = "gz" + +# simple error is enough; warnings are fine +BadnessThreshold = -1 + +# Whether to allow packaging kernel modules in non-kernel packages. +KernelModuleRPMsOK = false + +# Maximum allowed line length for Summary and Description tags +MaxLineLength = 80 + +# Assumed default version of Python if one cannot be determined from files +# FIXME this should be sys.version[:3] but I have no idea how to implement it +# here without changing it every other release +PythonDefaultVersion = "" + +# Regexp string with expected suffix in Release tags. +ReleaseExtension = '\.(fc|rhe?l|el)\d+(?=\.|$)' + +# Whether to want default start/stop runlevels specified in init scripts +UseDefaultRunlevels = false + +ValidSrcPerms = [ + "0o644", + "0o664", +] + +# List of directories considered to be system default library search paths. +SystemLibPaths = [ + "/lib", + "/usr/lib", + "/lib64", + "/usr/lib64", +] + +# Enabled checks for the rpmlint to be run (besides the default set) +Checks = [ + "BashismsCheck", + "PAMModulesCheck", + "TmpFilesCheck", + "SysVInitOnSystemdCheck", + "SharedLibraryPolicyCheck", +] + +# Interpreters whose scriptlets are allowed to be empty +ValidEmptyShells = [ + "/usr/sbin/ldconfig", +] + +# Package scriptlet interpreters +ValidShells = [ + "", + "/usr/bin/sh", + "/usr/bin/bash", + "/usr/sbin/ldconfig", + "/usr/bin/perl", + "/usr/bin/python", + "/usr/bin/python3", +] + +Filters = [ +# FIXME - the commented lines are from openSUSE config +# Are they relevant for Fedora too? +# PR which enables them or remove them is welcome +## Stuff autobuild takes care about +# '.*invalid-version.*', +# '.*invalid-packager.*', + '.*not-standard-release-extension.*', +# '.*invalid-buildhost.*', + '.*executable-in-library-package.*', + '.*non-versioned-file-in-library-package.*', + '.*shlib-policy-name-error.*', +# '.*hardcoded-path-in-buildroot-tag.*', + '.*no-buildroot-tag.*', +# '.*cross-directory-hard-link.*', + +# Do not validate package rpm groups + '.*devel-package-with-non-devel-group.*', + '.*no-group-tag.*', + '.*non-standard-group.*', + +# Output filters +# '.*spurious-bracket-in-.*', +# '.*one-line-command-in-.*', +# ' dir-or-file-in-opt ', # handled by CheckFilelist.py +# ' dir-or-file-in-usr-local ', # handled by CheckFilelist.py + ' non-standard-dir-in-usr ', # handled by CheckFilelist.py + ' no-signature', +# ' symlink-crontab-file', #bnc591431 +# ' without-chkconfig', +# 'unstripped-binary-or-object.*\.ko', +# ' no-chkconfig', +# ' subsys-not-used', +# ' dangerous-command.*', +# ' setuid-binary.*', +# 'subdir-in-bin /sbin/conf.d/', +# '.* nss_db non-standard-dir-in-var db', +# 'non-standard-dir-in-usr openwin', +# 'ibcs2 non-standard-dir-in-usr i486-sysv4', +# 'shlibs5 non-standard-dir-in-usr i486-linux-libc5', +# 'explicit-lib-dependency libtool', +# +## Filesystem package needs special exceptions +# '^filesystem\..*: dir-or-file-in-var-run', +# '^filesystem\..*: dir-or-file-in-var-lock', +# '^filesystem\..*: dir-or-file-in-var-tmp', +# '^filesystem\..*: dir-or-file-in-var-run', +# '^filesystem\..*: dir-or-file-in-var-lock', +# '^filesystem\..*: dir-or-file-in-usr-tmp', +# '^filesystem\..*: dir-or-file-in-tmp', +# '^filesystem\..*: dir-or-file-in-mnt', +# '^filesystem\..*: dir-or-file-in-home', +# '^filesystem\..*: hidden-file-or-dir /root/.gnupg', +# '^filesystem\..*: hidden-file-or-dir /root/.gnupg', +# '^filesystem\..*: hidden-file-or-dir /etc/skel/.config', +# '^filesystem\..*: hidden-file-or-dir /etc/skel/.local', +# '^filesystem\..*: hidden-file-or-dir /tmp/.X11-unix', +# '^filesystem\..*: hidden-file-or-dir /tmp/.ICE-unix', +# '^filesystem\..*: hidden-file-or-dir /etc/skel/.fonts', +# '^filesystem\..*: filelist-forbidden-fhs23', +# '^filesystem\..*: filelist-forbidden-opt', +# '^filesystem\..*: non-standard-uid /var/lib/nobody nobody', +# '^filesystem\..*: missing-dependency-to-cron', +## has arch specific dirs in /usr +# '^filesystem\..*: no-binary', +# +## Suppress any errors about internal packages +# '^qa\S+: [EWI]:', +# '^\S*(?:INTERNAL|internal)\.\S+: [EWI]:', +# +## Exceptions for devel-files +# 'devel-file-in-non-devel-package.*/boot/vmlinuz-.*autoconf.h', +# 'devel-file-in-non-devel-package.*/usr/src/linux-', +# 'devel-file-in-non-devel-package.*/usr/share/systemtap', +# '-(?:examples|doc)\.\S+: \w: devel-file-in-non-devel-package', +# 'java\S+-demo\.\S+: \w: devel-file-in-non-devel-package', +# 'avr-libc\.\S+: \w: devel-file-in-non-devel-package', +# 'cross-.*devel-file-in-non-devel-package', +# 'cmake.*devel-file-in-non-devel-package', +# 'gcc\d\d.*devel-file-in-non-devel-package', +# 'OpenOffice_org-sdk\.\S+: \w: devel-file-in-non-devel-package', +# 'wnn-sdk\.\S+: \w: devel-file-in-non-devel-package', +# 'ocaml\.\S+: \w: devel-file-in-non-devel-package', +# 'xorg-x11-server-sdk\.\S+: \w: devel-file-in-non-devel-package', +# 'linux-kernel-headers\.\S+: \w: devel-file-in-non-devel-package', +# ' devel-file-in-non-devel-package.*-config', +# 'libtool\.\S+: \w: devel-file-in-non-devel-package', +# 'sdb.* dangling-relative-symlink /usr/share/doc/sdb/.*/gifs ../gifs', +# 'kernel-modules-not-in-kernel-packages', +# +## SUSE kmp's don't need manual depmod (bnc#456048) +# 'module-without-depmod-postin', +# 'postin-with-wrong-depmod', +# 'module-without-depmod-postun', +# 'postun-with-wrong-depmod', +# 'configure-without-libdir-spec', +# 'conffile-without-noreplace-flag /etc/init.d', +# 'use-of-RPM_SOURCE_DIR', +# 'use-tmp-in-', +# 'symlink-contains-up-and-down-segments /var/lib/named', +# 'no-ldconfig-symlink', +# 'aaa_base\.\S+: \w: use-of-home-in-%post', +# 'description-line-too-long', + 'hardcoded-library-path', +# +## Doesn't seem to make sense +# 'invalid-ldconfig-symlink', +# 'invalid-soname', +# 'library-not-linked-against-libc', +# 'only-non-binary-in-usr-lib', + 'outside-libdir-files', +# +## We want these files +# ' perl-temp-file ', +# ' hidden-file-or-dir .*/\.packlist', +# ' hidden-file-or-dir .*/\.directory', +# 'perl-.*no-binary', + ' no-major-in-name ', +# +## We check for that already +# 'dangling-relative-symlink', + ' lib-package-without-%mklibname', + ' requires-on-release', +# ' non-executable-script /etc/profile.d/', +# ' non-executable-script /var/adm/fillup-templates/', +# ' init-script-name-with-dot ', +# '.* statically-linked-binary /sbin/ldconfig', +# '.* statically-linked-binary /sbin/init', +# 'valgrind.* statically-linked-binary', +# 'ldconfig-post.*/ddiwrapper/wine/', +# 'glibc\.\S+: \w: statically-linked-binary /usr/sbin/glibc_post_upgrade', + ' symlink-should-be-relative ', +# ' binary-or-shlib-defines-rpath .*ORIGIN', +# 'libzypp.*shlib-policy-name-error.*libzypp', +# 'libtool.*shlib-policy.*', +# +## Stuff that is currently too noisy, but might become relevant in the future +# ' prereq-use', +# ' file-not-utf8', +# ' tag-not-utf8', +# ' setup-not-quiet', +# ' mixed-use-of-spaces-and-tabs ', +# ' prereq-use ', +# +## An issue with OBS, works with autobuild + ' no-packager-tag', +# ' unversioned-explicit-provides ', +# ' unversioned-explicit-obsoletes ', +# ' service-default-enabled ', +# ' non-standard-dir-perm ', +# ' conffile-without-noreplace-flag ', +# ' non-standard-executable-perm ', + ' jar-not-indexed ', +# ' uncompressed-zip ', +# ' %ifarch-applied-patch ', +# ' read-error ', +# ' init-script-without-chkconfig-postin ', +# ' init-script-without-chkconfig-preun ', +# ' postin-without-chkconfig ', +# ' preun-without-chkconfig ', + ' no-dependency-on locales', + ' no-dependency-on perl-base', + ' no-dependency-on python-base', + ' python-naming-policy-not-applied', + # FIXME does this really exists? + ' perl-naming-policy-not-applied', +# ' shlib-policy-name-error', +# ' binary-or-shlib-defines-rpath', +# ' executable-marked-as-config-file', +# ' log-files-without-logrotate', +# ' hardcoded-prefix-tag', + '-debug(info|source).* no-documentation', + '-debugsource.* no-binary', +# ' multiple-specfiles', +# ' no-default-runlevel ', +# ' setgid-binary ', +# ' non-readable ', + ' postin-without-ghost-file-creation ', +# +## Exceptions for filelist checks +# 'nfs-client\.\S+: \w: filelist-forbidden-backup-file /var/lib/nfs/sm.bak', +# 'perl\.\S+: \w: filelist-forbidden-perl-dir ', +# 'info\.\S+: \w: info-dir-file .*/usr/share/info/dir', +# +## These packages are used for CD creation and are not supposed to be +## installed. It's still a dirty hack to make an exception. The +## packages should either be built in a separate project with +## different config or file be put somewhere below /opt/suse/* +# '(?:dosutils|skelcd|installation-images|yast2-slide-show|instlux|skelcd-.*|patterns-.*)\.\S+: \w: filelist-forbidden-fhs23 /CD1', +# +## Too noisy, and usually not something downstream packagers can fix +# ' incorrect-fsf-address ', +# ' no-manual-page-for-binary ', +# ' static-library-without-debuginfo /usr/lib(?:64)?/ghc-[\d\.]+/', +# +## Many places have shorter paths +# ' non-coherent-filename ', + +# Mandriva specific stuff that Fedora do not want either + ' invalid-build-requires ', + +# Fedora specific stuff that we don't want + ' ghost-files-without-postin', + ' no-provides ', + '-debuginfo.* /usr/lib/debug/', + '-debugsource.* /usr/src/debug/', + '-devel.* no-binary', + '^gpg-pubkey:', + ' doc-file-dependency .* /bin/sh$', + 'explicit-lib-dependency (liberation-fonts|libertas-.*-firmware|libvirt$|.*-(java|python|utils)$)', + 'explicit-lib-dependency (python-.*lib.*|python2-.*lib.*|python3-.*lib.*)$', + 'explicit-lib-dependency libreoffice.*$', + 'dangling-\S*symlink /usr/share/doc/HTML/\S+/common .+/common$', + 'hidden-file-or-dir .*/man5/\.k5login\.5[^/]+$', + 'blender.+ (wrong-script-interpreter|non-executable-script) .+/blender/.+\.py.*BPY.*', + # Don't bother with the non-ghost-in-run checks, /var/lock and /var/run are + # symlinks to /run/lock and /run respectively, and /run is a tmpfs + 'non-ghost-in-run', + # Someone thought it was a good idea to make .desktop files executable. They were wrong. + # Nevertheless, I do not yet control the universe, so we squelch the error here. + 'script-without-shebang .*\.desktop$', + # Some files in /etc/ are not meant to be modified by the sysadmin + 'non-conffile-in-etc /etc/rpm/.*$', + # Files that are intentionally not supposed to be readable + # Contains passwords + 'non-readable /etc/ovirt-engine/isouploader.conf', + ## Ignore webservers which are just broken. + 'invalid-url .*\.googlecode\.com/.*HTTP Error 404', + 'invalid-url .*\.jboss\.org/.*HTTP Error 403', + 'invalid-url .*bitbucket\.org/.*HTTP Error 403', + 'invalid-url .*github\.com/.*HTTP Error 403', + # Don't care about long descriptions on debuginfo packages + # They automatically include the package name and are always + # quite long. + '-debuginfo.* description-line-too-long', + # ignore "common" jargon words + # https://bugzilla.redhat.com/show_bug.cgi?id=1424684#c9 + 'spelling-error.* \b(runtime|Runtime|metadata|cryptographic|multi|linux|filesystem|filesystems|backend|backends|userspace|addon|wayland|Wayland|util|utils|lossless|virtualization|toolkits|libvirtd|crypto|glyphs|GStreamer|http|extensibility|codec|codecs|truetype|scalable|pluggable|pixbuf|Kerberos|customizable|bitstream|tcp|libXss|libs|libc|encodings|GLib|udev|posix|libpng|glapi|gbm|freedesktop|spi|realtime|preprocessor|libaudit|hypervisor|embeddable|distributable|devel|config|cairo|bootloader|adaptors|pragma|passphrase|malloc|libvirt|libmagic|io|datetime|boolean|argparse|py|pinentry|namespace|middleware|lowlevel|libxcb|libudev|libsoup|libgcrypt|libcom|iSCSI|initramfs|GObject|executables|dialogs|checkpolicy|bitmapped|assistive|btrfs|crypttab|defrag|dracut|hostname|luks|mountpoints|netdev|rpmnew|rpmsave|storaged|tss|unlocker)\b', + # Fedora no longer uses explicit ldconfig %post/%postun as of Fedora 28 + 'postin-without-ldconfig', + 'postun-without-ldconfig', + 'library-without-ldconfig-postin', + 'library-without-ldconfig-postun', + # Ignore 700 dir perms here + 'non-standard-dir-perm /etc/.* 700', + 'non-standard-dir-perm /var/lib/.* 700', + # pip 20.2 generates PEP 376 "REQUESTED" marker (empty) + 'zero-length .+/site-packages/.+\.dist-info/REQUESTED\b', + # py.typed files are empty + 'zero-length .+/site-packages/.+/py\.typed\b', + # https://bugzilla.redhat.com/496737, https://bugzilla.redhat.com/646455 + 'coreutils.* (setuid-binary|non-standard-executable-perm) /bin/su (root )?04', + 'krb5-workstation.* (setuid-binary|non-standard-executable-perm) /usr/kerberos/bin/ksu (root )?04', + 'passwd.* (setuid-binary|non-standard-executable-perm) /usr/bin/passwd (root )?04', + 'sudo.* (setuid-binary|non-standard-executable-perm) /usr/bin/sudo(edit)? (root )?04', + 'upstart.* (setuid-binary|non-standard-executable-perm) /sbin/initctl (root )?04', + 'usermode.* (setuid-binary|non-standard-executable-perm) /usr/sbin/userhelper (root )?04', + # Only works properly with SUSE packages. See + # https://github.com/rpm-software-management/rpmlint/issues/781 + 'no-library-dependency-for', + 'no-library-dependency-on', + # ignore missing .hash section; we still warn if .gnu.hash is missing + # https://bugzilla.redhat.com/2132969 + ' missing-hash-section ', + # https://bugzilla.redhat.com/2260169 + ' python-missing-require ', + +## Bash completion files are not scripts, do not require them marked as %config +# 'W: non-conffile-in-etc /etc/bash_completion.d/', +# + +# Info uses file triggers now (boo#1152169) + ' info-files-without-install-info-postin', + ' info-files-without-install-info-postun ', + ' postin-without-install-info ', +] + +[DanglingSymlinkExceptions."/usr/share/doc/licenses/"] +path = "/usr/share/doc/licenses/" +name = "licenses" +[DanglingSymlinkExceptions."consolehelper$"] +path = "consolehelper$" +name = "usermode" +[DanglingSymlinkExceptions."consolehelper-gtk$"] +path = "consolehelper-gtk$" +name = "usermode-gtk" + +[Descriptions] +non-standard-uid = '''A file in this package is owned by an unregistered user id. +To register the user, please make a pull request to the rpmlint config file +configs/Fedora/fedora.toml in the rpmlint repository. +''' +non-standard-gid = '''A file in this package is owned by an unregistered group id. +To register the group, please make a pull request to the rpmlint config file +configs/Fedora/fedora.toml in the rpmlint repository. +''' +no-changelogname-tag = '''There is no changelog. Please insert a '%changelog' section heading in your +spec file and prepare your changelog entry using e.g. the 'rpmdev-bumpspec' command.''' diff --git a/rpmlint-2.5.0.tar.gz b/rpmlint-2.5.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..766ca7ab82fad8d297b1e4201c0344543f2fcb1f Binary files /dev/null and b/rpmlint-2.5.0.tar.gz differ diff --git a/rpmlint.spec b/rpmlint.spec index 97a0fc0551802b38b838847e4da70d5fd7e3a529..f12a63a910902e94184f15c18421d4c3a238b27c 100644 --- a/rpmlint.spec +++ b/rpmlint.spec @@ -1,14 +1,18 @@ -%define anolis_release 3 +%define anolis_release 1 # pass --without tests to skip the test suite %bcond_with tests Name: rpmlint -Version: 2.4.0 +Version: 2.5.0 Release: %{anolis_release}%{?dist} Summary: Tool for checking common errors in RPM packages License: GPL-2.0-or-later URL: https://github.com/rpm-software-management/rpmlint -Source0: %{url}/archive/%{version}/rpmlint-%{version}.tar.gz +Source0: https://github.com/rpm-software-management/rpmlint/archive/2.5.0/rpmlint-2.5.0.tar.gz +Source1: fedora.toml +Source3: scoring.toml +Source4: users-groups.toml +Source5: warn-on-functions.toml # https://github.com/rpm-software-management/rpmlint/pull/943 Patch0: https://github.com/rpm-software-management/rpmlint/commit/393cde4e.patch#/0001-fix-broken-regex-for-no-manual-page-for-binary-check.patch Patch1: https://github.com/rpm-software-management/rpmlint/commit/48aa148b.patch#/0001-TagsCheck-restore-space-exclusion-to-license_excepti.patch @@ -27,6 +31,15 @@ BuildRequires: python3dist(pytest) BuildRequires: python3dist(pytest-xdist) BuildRequires: /usr/bin/appstream-util BuildRequires: /usr/bin/desktop-file-validate +BuildRequires: /usr/bin/appstream-util +BuildRequires: /usr/bin/desktop-file-validate +BuildRequires: dash +BuildRequires: devscripts-checkbashisms +BuildRequires: git-core +BuildRequires: hunspell-cs +BuildRequires: hunspell-en-US +BuildRequires: python3dist(pytest) +BuildRequires: python3dist(pytest-xdist) %endif %description @@ -68,6 +81,10 @@ install -m 0644 configs/anolis/*.toml %{buildroot}%{_sysconfdir}/xdg/rpmlint/ %{_bindir}/rpmlint %changelog +* Tue Oct 28 2025 wenyuzifang - 2.5.0-1 +- Updated to version 2.5.0 to fix xxxxxx + + * Tue Mar 26 2024 Zhao Hang - 2.4.0-3 - Rebuild with python3.11 diff --git a/scoring.toml b/scoring.toml new file mode 100644 index 0000000000000000000000000000000000000000..170082cb73a3c7653a1fe0098b2e56a2535d3d6f --- /dev/null +++ b/scoring.toml @@ -0,0 +1,6 @@ +[Scoring] +# This can set how bad each error is. +# But we set BadnessThreshold to -1 so anything above 0 +# is actually fatal. +# You can check configs/openSUSE/scoring.toml for more fine graded scoring. +no-group-tag = 1 diff --git a/users-groups.toml b/users-groups.toml new file mode 100644 index 0000000000000000000000000000000000000000..706805f58ee80f7cc265f9c8e8f1426d95f7a874 --- /dev/null +++ b/users-groups.toml @@ -0,0 +1,5 @@ +# generated by tools/generate-fedora-users-groups.py on 2022-09-07 + +StandardUsers = ['abrt', 'activemq', 'adm', 'aeolus', 'amandabackup', 'apache', 'arpwatch', 'ats', 'avahi', 'avahi-autoipd', 'bacula', 'beagleindex', 'bin', 'cassandra', 'ceilometer', 'ceph', 'cimsrvr', 'cinder', 'clamav', 'condor', 'cyrus', 'daemon', 'dbus', 'desktop', 'dhcpd', 'distcache', 'dovecot', 'elasticsearch', 'exim', 'fax', 'frontpage', 'ftp', 'games', 'gdm', 'glance', 'gopher', 'hacluster', 'haldaemon', 'halt', 'haproxy', 'heat', 'hsqldb', 'ident', 'jbosson-agent', 'jetty', 'jonas', 'keystone', 'ldap', 'lp', 'luci', 'mail', 'mailman', 'mailnull', 'majordomo', 'mongodb', 'myproxy', 'mysql', 'named', 'netdump', 'news', 'nobody', 'nocpulse', 'nova', 'nscd', 'nslcd', 'ntp', 'nut', 'operator', 'oprofile', 'ovirt', 'ovirtagent', 'pegasus', 'piranha', 'pkiuser', 'polkituser', 'postfix', 'postgres', 'prelude-manager', 'privoxy', 'pulse', 'puppet', 'pvm', 'qemu', 'quagga', 'quantum', 'radiusd', 'radvd', 'retrace', 'rhevm', 'ricci', 'root', 'rpc', 'rpcuser', 'rpm', 'rtkit', 'sabayon', 'saned', 'sanlock', 'shutdown', 'smmsp', 'snortd', 'squid', 'sshd', 'stap-server', 'swift', 'sync', 'systemd-network', 'systemd-resolve', 'tcpdump', 'tomcat', 'tss', 'usbmuxd', 'uucp', 'vcsa', 'vdsm', 'vhostmd', 'wallaby', 'webalizer', 'wildfly', 'wnn', 'xfs'] + +StandardGroups = ['abrt', 'activemq', 'adm', 'aeolus', 'apache', 'arpwatch', 'ats', 'audio', 'avahi', 'avahi-autoipd', 'bacula', 'beagleindex', 'bin', 'cassandra', 'cdrom', 'ceilometer', 'ceph', 'cimsrvr', 'cinder', 'clamav', 'condor', 'console', 'daemon', 'dbus', 'desktop', 'dhcpd', 'dialout', 'dip', 'disk', 'distcache', 'dovecot', 'elasticsearch', 'exim', 'fax', 'floppy', 'frontpage', 'ftp', 'games', 'gdm', 'glance', 'gopher', 'haclient', 'haldaemon', 'haproxy', 'heat', 'hsqldb', 'ident', 'input', 'jbosson', 'jetty', 'jonas', 'keystone', 'kmem', 'kvm', 'ldap', 'lock', 'lp', 'luci', 'mail', 'mailman', 'mailnull', 'majordomo', 'man', 'mem', 'mock', 'mongodb', 'myproxy', 'mysql', 'named', 'netdump', 'news', 'nobody', 'nocpulse', 'nova', 'nscd', 'ntp', 'nut', 'oprofile', 'ovirt', 'ovirtagent', 'pegasus', 'piranha', 'pkiuser', 'polkituser', 'popusers', 'postdrop', 'postfix', 'postgres', 'pppusers', 'prelude-manager', 'privoxy', 'pulse', 'puppet', 'pvm', 'qemu', 'quagga', 'quaggavt', 'quantum', 'radiusd', 'radvd', 'realtime', 'render', 'retrace', 'rhevm', 'ricci', 'root', 'rpc', 'rpcuser', 'rpm', 'rtkit', 'sabayon', 'saned', 'sanlock', 'saslauth', 'screen', 'sgx', 'slipusers', 'slocate', 'smmsp', 'snortd', 'squid', 'sshd', 'stap-server', 'stapdev', 'stapsys', 'stapusr', 'swift', 'sys', 'systemd-journal', 'systemd-network', 'systemd-resolve', 'tape', 'tcpdump', 'tomcat', 'tss', 'tty', 'usbmuxd', 'users', 'utempter', 'utmp', 'uucp', 'vcsa', 'vhostmd', 'video', 'wallaby', 'wbpriv', 'webalizer', 'wheel', 'wildfly', 'wine', 'wnn', 'xfs'] diff --git a/warn-on-functions.toml b/warn-on-functions.toml new file mode 100644 index 0000000000000000000000000000000000000000..58d848dc0e54d8de11232c601719b0173d8eebc3 --- /dev/null +++ b/warn-on-functions.toml @@ -0,0 +1,25 @@ +# Additional warnings on specific function calls +[WarnOnFunction] + +[WarnOnFunction.crypto-policy-non-compliance-openssl] +f_name = "SSL_CTX_set_cipher_list" +good_param = "PROFILE=SYSTEM" +description = """This application package calls a function to explicitly set crypto ciphers +for SSL/TLS. That may cause the application not to use the system-wide set +cryptographic policy and should be modified in accordance to: +https://fedoraproject.org/wiki/Packaging:CryptoPolicies""" + +[WarnOnFunction.crypto-policy-non-compliance-gnutls-1] +f_name = "gnutls_priority_set_direct" +description = """This application package calls a function to explicitly set crypto ciphers +for SSL/TLS. That may cause the application not to use the system-wide set +cryptographic policy and should be modified in accordance to: +https://fedoraproject.org/wiki/Packaging:CryptoPolicies""" + +[WarnOnFunction.crypto-policy-non-compliance-gnutls-2] +f_name = "gnutls_priority_init" +good_param = "SYSTEM" +description = """This application package calls a function to explicitly set crypto ciphers +for SSL/TLS. That may cause the application not to use the system-wide set +cryptographic policy and should be modified in accordance to: +https://fedoraproject.org/wiki/Packaging:CryptoPolicies"""