initial commit

9 files changed, 517 insertions, 0 deletions

diff --git a/sbopkglint.d/05-basic-sanity.t.sh b/sbopkglint.d/05-basic-sanity.t.sh
new file mode 100644
index 0000000..6709203
--- /dev/null
+++ b/sbopkglint.d/05-basic-sanity.t.sh
@@ -0,0 +1,152 @@
+#!/bin/sh
+
+# sbopkglint test, must be sourced by sbopkglint (not run standalone).
+
+# PKG, PRGNAM, VERSION, ARCH are set by sbopkglint. also the current
+# directory is the root of the installed package tree.
+
+#######################################################################
+# these directories are allowed to exist in the package, but they
+# must be mode 0755 and owned by root:root. if a dir from this list
+# exists but is empty, that's an error. if a top-level directory
+# exists that's *not* in this list (such as /dev), that's an error.
+topleveldirs="bin boot etc lib lib64 opt sbin srv usr var run"
+
+# these directories are *required* to exist, and must be mode 0755, root:root.
+# if a dir from this list exists but is empty, that's an error. note
+# that the install/ dir no longer exists by the time we run (installpkg
+# deleted it already).
+requireddirs="usr/doc/$PRGNAM-$VERSION"
+
+# these directories *must not* exist. no need to list top-level dirs here,
+# the topleveldirs check already catches those.
+baddirs="usr/local usr/share/doc usr/share/man usr/etc usr/share/info usr/X11 usr/X11R6"
+
+# these directories may exist, but must contain only files or symlinks,
+# and must be mode 0755, root:root. I thought usr/share/pixmaps
+# belonged here, but quite a few packages create subdirs there for
+# images required at runtime that aren't the app icon.
+fileonlydirs="bin usr/bin sbin usr/sbin"
+
+# these directories may exist, but must contain only subdirectories
+# (no files, symlinks, devices, etc). "." (the top-level package dir)
+# doesn't need to be included here; it's checked separately.
+nofiledirs="usr usr/doc usr/share usr/man"
+
+# these directories may exist but must not have executable files
+# anywhere under them. I would put usr/doc and etc here, but too many
+# packages break that rule. usr/share/applications is listed here,
+# even though Slackware's KDE packages (erroneously) install .desktop
+# files +x.
+noexecdirs="usr/man usr/share/pixmaps usr/share/icons usr/share/applications usr/share/appdata usr/share/mime usr/share/mime-info usr/share/glib-2.0"
+
+# these files must exist.
+requiredfiles="usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild"
+
+# these files must not exist.
+badfiles="\
+usr/info/dir \
+usr/info/dir.gz \
+usr/lib64/perl5/perllocal.pod \
+usr/lib/perl5/perllocal.pod \
+usr/share/perl5/perllocal.pod \
+usr/share/perl5/vendor_perl/perllocal.pod \
+etc/passwd \
+etc/passwd.new \
+etc/shadow \
+etc/shadow.new \
+etc/group \
+etc/group.new \
+etc/gshadow \
+etc/gshadow.new \
+etc/ld.so.conf"
+
+#######################################################################
+
+# include 'hidden' files/dirs in * wildcard expansion.
+shopt -s dotglob
+
+dir_ok() {
+	[ -d "$1" ] && \
+		[ "$( stat -c '%A %U %G' "$1" )" = "drwxr-xr-x root root" ]
+}
+
+dir_empty() {
+	[ "$( find "$1" -mindepth 1 -maxdepth 1 )" = "" ]
+}
+
+warn_badperms() {
+	warn "bad permissions/owner (should be 0755 root:root): $1"
+}
+
+for i in *; do
+	if [ ! -d "$i" ]; then
+		warn "package root dir contains non-directory: $i"
+	elif ! echo "$topleveldirs" | grep -q "\\<$i\\>"; then
+		warn "package root dir contains non-standard directory: $i"
+	elif ! dir_ok "$i"; then
+		warn_badperms "$i"
+	elif dir_empty "$i"; then
+		warn "package contains empty top-level directory: $i"
+	fi
+done
+
+for i in $requireddirs; do
+	if [ ! -d "$i" ]; then
+		warn "missing required directory: $i"
+	elif ! dir_ok "$i"; then
+		warn_badperms "$i"
+	fi
+done
+
+for i in $baddirs; do
+	if [ -d "$i" ]; then
+		warn "forbidden directory exists: $i"
+	elif [ -e "$i" ]; then
+		warn "forbidden directory exists as a non-directory: $i"
+	fi
+done
+
+for i in $fileonlydirs; do
+	[ -d "$i" ] || continue
+	dir_ok "$i" || warn_badperms "$i"
+	badstuff="$( find -L "$i" -mindepth 1 -maxdepth 1 \! -type f )"
+	[ -n "$badstuff" ] && warn "$i should only contain files, not:" && ls -ld $badstuff
+done
+
+for i in $nofiledirs; do
+	[ -d "$i" ] || continue
+	dir_ok "$i" || warn_badperms "$i"
+	badstuff="$( find -L "$i" -mindepth 1 -maxdepth 1 \! -type d )"
+	[ -n "$badstuff" ] && warn "$i should only contain directories, not:" && ls -ld $badstuff
+done
+
+for i in $requiredfiles; do
+	[ -f "$i" ] || warn "missing required file: $i"
+done
+
+for i in $noexecdirs; do
+	[ -d "$i" ] || continue
+	found="$( find "$i" -type f -a -perm /0111 )"
+	if [ -n "$found" ]; then
+		warn "$i should not contain files with executable permission:"
+		ls -l $found
+	fi
+done
+
+for i in $badfiles; do
+	[ -e "$i" ] && warn "forbidden file: $i"
+done
+
+badlinks="$( find -L . -type l )"
+[ -n "$badlinks" ] && for i in $badlinks; do
+	target="$( readlink "$i" )"
+	case "$target" in
+		/*) abslinks+="$i " ;;
+		*) brokenlinks+="$i " ;;
+	esac
+done
+
+[ -n "$abslinks" ] && warn "package contains absolute symlinks (should be relative):" && ls -ld $abslinks
+[ -n "$brokenlinks" ] && warn "package contains broken symlinks:" && ls -ld $brokenlinks
+
diff --git a/sbopkglint.d/10-docs.t.sh b/sbopkglint.d/10-docs.t.sh
new file mode 100644
index 0000000..e1bb8d8
--- /dev/null
+++ b/sbopkglint.d/10-docs.t.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# sbopkglint test, must be sourced by sbopkglint (not run standalone).
+
+# PKG, PRGNAM, VERSION, ARCH are set by sbopkglint. also the current
+# directory is the root of the installed package tree.
+
+########################################################################
+# checks file permissions and ownership in the package doc dir. files
+# should all be mode 644, directories should be 755. everything should
+# be owned by root:root. also checks for empty files or (possibly)
+# install instructions.
+
+
+# ideally, we'd require all files under the doc dir to be mode 0644.
+# however, too many existing packages (including core Slackware ones)
+# break that rule. so check for the minimum set of desired permissions:
+# a doc file should be readable by all users (at least 444).
+
+DOCDIR=usr/doc/$PRGNAM-$VERSION
+
+# existence of the doc dir was already checked by a previous test,
+# so just don't do anything if it's missing.
+
+if [ -d "$DOCDIR" ]; then
+	badpermfiles="$( find $DOCDIR -mindepth 1 -type f -a \! -perm -444 )"
+	 badpermdirs="$( find $DOCDIR -mindepth 1 -type d -a \! -perm 0755 )"
+	   badowners="$( find $DOCDIR -mindepth 1 -user root -a -group root -o -print )"
+	       empty="$( find $DOCDIR -mindepth 1 -empty )"
+	       bogus="$( find $DOCDIR -mindepth 1 -maxdepth 1 -type f -a \( -name INSTALL -o -name INSTALL.\* \) )"
+
+	[ -n "$badpermfiles" ] && warn "bad file perms (should be 644, or at least 444) in doc dir:" && ls -l $badpermfiles
+	[ -n "$badpermdirs"  ] && warn "bad directory perms (should be 755) in doc dir:" && ls -ld $badpermdirs
+	[ -n "$badowners"  ]   && warn "bad ownership (should be root:root) in doc dir:" && ls -ld $badowners
+	[ -n "$empty"      ]   && warn "empty files/dirs in doc dir: $empty"
+	[ -n "$bogus"      ]   && [ -z "$INSTALL_DOCS_OK" ] && warn "useless-looking install instructions in doc dir: $bogus"
+fi
+
+baddocs="$( find usr/doc -mindepth 1 -maxdepth 1 \! -name $PRGNAM-$VERSION )"
+[ -n "$baddocs" ]  && warn "docs outside of $DOCDIR:" && ls -ld $baddocs
diff --git a/sbopkglint.d/15-noarch.t.sh b/sbopkglint.d/15-noarch.t.sh
new file mode 100644
index 0000000..55c17f6
--- /dev/null
+++ b/sbopkglint.d/15-noarch.t.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# sbopkglint test, must be sourced by sbopkglint (not run standalone).
+
+# PKG, PRGNAM, VERSION, ARCH are set by sbopkglint. also the current
+# directory is the root of the installed package tree.
+
+########################################################################
+# makes sure "noarch" packages really are noarch.
+
+if [ "$ARCH" = "noarch" ]; then
+	elfbins="$( find * -type f -print0 | xargs -0 file -m /etc/file/magic/elf | grep ELF | cut -d: -f1 )"
+	[ -n "$elfbins" ] && warn "package claims to be noarch, but contains ELF binaries:" && ls -l $elfbins
+fi
diff --git a/sbopkglint.d/20-arch.t.sh b/sbopkglint.d/20-arch.t.sh
new file mode 100644
index 0000000..81a91a4
--- /dev/null
+++ b/sbopkglint.d/20-arch.t.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# sbopkglint test, must be sourced by sbopkglint (not run standalone).
+
+# PKG, PRGNAM, VERSION, ARCH are set by sbopkglint. also the current
+# directory is the root of the installed package tree.
+
+########################################################################
+# for noarch packages, do nothing.
+# for everything else, make sure any ELF binaries/libraries match the
+# ARCH, and that libs are in the correct directory (lib vs. lib64).
+
+# warnings:
+# if an i?86 package has any 64-bit ELF objects (libs or bins)
+# if an x86_64 package has any 32-bit ELF objects (libs or bins)
+# if an i?86 package has lib64 or usr/lib64 at all
+# if an x86_64 package has 64-bit libs in lib or usr/lib
+
+# note: sometimes files in /lib/firmware are ELF, and would cause
+# false "wrong directory" warnings, so we exclude that dir from the
+# search.
+
+case "$ARCH" in
+	noarch) ;; # ok, do nothing.
+	i?86) WRONGDIR="lib64"; CPU="80386" ;;
+	x86_64) WRONGDIR="lib"; CPU="x86-64" ;;
+	*) warn "ARCH isn't noarch, i?86, or x86_64. don't know how to check binaries." ;;
+esac
+
+INWRONGDIR=""
+WRONGARCH=""
+NOTSTRIPPED=""
+if [ -n "$WRONGDIR" ]; then
+	find * -type f -print0 | \
+		xargs -0 file -m /etc/file/magic/elf | \
+		grep 'ELF.*\(executable\|shared object\)' > .tmp.$$
+
+		while read line; do
+			file="$( echo $line | cut -d: -f1 )"
+			filetype="$( echo $line | cut -d: -f2 )"
+			case "$file" in
+				lib/firmware/*) continue ;;
+				$WRONGDIR/*|usr/$WRONGDIR/*)
+					INWRONGDIR+="$file " ;;
+			esac
+
+			# 64-bit packages can contain 2 types of 32-bit binaries:
+			# - statically linked.
+			# - statified. very few of these exist, and we can't make
+			#   them on 15.0 (statifier can't handle modern kernel/glibc
+			#   and the author hasn't updated it).
+			if [ "$ARCH" = "x86_64" ]; then
+				echo "$filetype" | grep -q 'statically linked' && continue
+				grep -q DL_RO_DYN_TEMP_CNT "$file" && continue
+			fi
+
+			if ! echo "$filetype" | grep -q "$CPU"; then
+				WRONGARCH+="$file "
+			fi
+			if echo "$filetype" | grep -q "not stripped"; then
+				NOTSTRIPPED+="$file "
+			fi
+		done < .tmp.$$
+		rm -f .tmp.$$
+fi
+
+[ -n "$INWRONGDIR" ] && warn "shared lib(s) in wrong dir for ARCH:" && ls -l $INWRONGDIR
+[ -n "$WRONGARCH" ] && warn "ELF object(s) with wrong arch (should be $CPU):" && ls -l $WRONGARCH
+[ -n "$NOTSTRIPPED" ] && warn "ELF object(s) not stripped:" && ls -l $NOTSTRIPPED
diff --git a/sbopkglint.d/25-lafiles.t.sh b/sbopkglint.d/25-lafiles.t.sh
new file mode 100644
index 0000000..d4c56f7
--- /dev/null
+++ b/sbopkglint.d/25-lafiles.t.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# sbopkglint test, must be sourced by sbopkglint (not run standalone).
+
+# PKG, PRGNAM, VERSION, ARCH are set by sbopkglint. also the current
+# directory is the root of the installed package tree.
+
+########################################################################
+# check for .la files, according to the Slackware 15.0 guidelines.
+# they're not allowed directly in /lib /lib64 /usr/lib /usr/lib64, but
+# they're OK in subdirectories (e.g. /usr/lib64/appname/plugins/foo.la).
+
+for i in lib lib64 usr/lib usr/lib64; do
+	[ -d "$i" ] || continue
+	found="$( find $i -maxdepth 1 -name '*.la' )"
+	[ -n "$found" ] && LAFILES+="$found "
+done
+
+if [ -n "$LAFILES" ]; then
+	warn "package contains .la files:"
+	ls -l $LAFILES
+fi
diff --git a/sbopkglint.d/30-manpages.t.sh b/sbopkglint.d/30-manpages.t.sh
new file mode 100644
index 0000000..e0978b3
--- /dev/null
+++ b/sbopkglint.d/30-manpages.t.sh
@@ -0,0 +1,110 @@
+#!/bin/sh
+
+# sbopkglint test, must be sourced by sbopkglint (not run standalone).
+
+# PKG, PRGNAM, VERSION, ARCH are set by sbopkglint. also the current
+# directory is the root of the installed package tree.
+
+#######################################################################
+# if the package contains the usr/man dir, make sure that:
+# all the dirs match usr/man/man[1-9n] or usr/man/<locale>/man[1-9n].
+# all the files under /usr/man are gzipped and end in <section>.gz.
+# all the files under /usr/man have mode 0644. executable man pages
+# don't make sense, and man pages that aren't world-readable are
+# annoying and wrong.
+# all the filenames match the sections (e.g. usr/man/man1/foo.1.gz
+# matches, usr/man/man1/bar.2.gz doesn't).
+# all the gzipped files look like they contain *roff.
+
+BADPERMS=""
+BADDIRPERMS=""
+BADDIRS=""
+BADNAMES=""
+NOTGZIPPED=""
+NONTROFF=""
+WRONGSECT=""
+
+check_gzipped_page() {
+	local f="$1"
+	local d="$( dirname $f )"
+	local s="$( stat -c '%a %U %G' "$f" )"
+
+	if [ "$s" = "444 root root" ]; then
+		: # we could warn here someday
+	elif [ "$s" != "644 root root" ]; then
+		BADPERMS+="$f "
+	fi
+
+	if [ "$( file -L -b --mime-type "$f" )" != "application/gzip" ]; then
+		NOTGZIPPED+="$f "
+	fi
+
+	# I have ~42,000 man pages on my dev box, file(1) fails to identify
+	# 12 of them as troff, but adding the check for .T catches them all.
+	if [ "$( file -z -m /etc/file/magic/troff -L -b --mime-type "$f" )" != "text/troff" ]; then
+		if ! zgrep -q '^\.T' "$f"; then
+			NONTROFF+="$f "
+		fi
+	fi
+
+	# checking the section is tricky because e.g. /usr/man/man1 may contain
+	# files with with names like .1.gz, .1x.gz, .1.pm.gz.
+
+	# if the section in the directory name is bad, don't complain here, it
+	# was already reported.
+	dir_s="$( echo "$d" | sed -n 's,.*man\([0-9n]\)$,\1,p' )"
+	if [ "$dir_s" = "" ]; then
+		return
+	fi
+
+	s="$( basename "$f" | sed -n 's,.*\.\([0-9n]\)[^.]*\.gz,\1,p' )"
+	if [ "$s" = "" ]; then
+		BADNAMES+="$f "
+	elif [ "$s" != "$dir_s" ]; then
+		WRONGSECT+="$f "
+	fi
+}
+
+# called for paths like /usr/man/de. right now, it accepts names like
+# xx_XX or xx.UTF-8, or actually anything whose first 2 characters match
+# one of the dirs in /usr/share/locale. could use some refining. I don't
+# even know if the *.UTF-8 or *.ISO8859-1 dirs get searched by man-db.
+# Note that slackware's own libcdio-paranoia install man pages in
+# /usr/man/jp, which is invalid.
+check_locale_dir() {
+	l="$( echo "$1" | sed 's,^.*/\(..\).*$,\1,' )"
+	[ -e /usr/share/locale/"$l" ] || warn "bad locale dir in /usr/man: $l"
+}
+
+if [ -d usr/man ]; then
+	find usr/man -type f > .manpages.$$
+	find usr/man -mindepth 1 -type d > .mandirs.$$
+
+	while read d; do
+		case "$d" in
+			usr/man/man[1-9n]|usr/man/*/man[1-9n])
+				[ "$( stat -c '%a %U %G' "$d" )" != "755 root root" ] && BADDIRPERMS+="$d "
+				;;
+			usr/man/??*) check_locale_dir "$d" ;;
+			*) BADDIRS+="$d " ;;
+		esac
+	done < .mandirs.$$
+
+	while read f; do
+		case "$f" in
+			*.gz) check_gzipped_page "$f" ;;
+			*) BADNAMES+="$f " ;;
+		esac
+	done < .manpages.$$
+
+	rm -f .manpages.$$ .mandirs.$$
+
+	[ -n "$BADPERMS" ] && warn "bad man page owner/permissions (should be 0644, root:root)" && ls -ld $BADPERMS
+	[ -n "$BADDIRPERMS" ] && warn "bad man directory owner/permissions (should be 0755, root:root)" && ls -ld $BADDIRPERMS
+	[ -n "$BADDIRS" ] && warn "bad directory names in /usr/man:" && ls -ld $BADDIRS
+	[ -n "$BADNAMES" ] && warn "bad man page names (not *.gz):" && ls -ld $BADNAMES
+	[ -n "$NOTGZIPPED" ] && warn "non-gzip (but named *.gz) man pages:" && ls -ld $NOTGZIPPED
+	[ -n "$NONTROFF" ] && warn "invalid man pages (not troff):" && ls -ld $NONTROFF
+	[ -n "$WRONGSECT" ] && warn "man pages in wrong section:" && ls -ld $WRONGSECT
+fi
+
diff --git a/sbopkglint.d/35-desktop.t.sh b/sbopkglint.d/35-desktop.t.sh
new file mode 100644
index 0000000..9650ef4
--- /dev/null
+++ b/sbopkglint.d/35-desktop.t.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# sbopkglint test, must be sourced by sbopkglint (not run standalone).
+
+# PKG, PRGNAM, VERSION, ARCH are set by sbopkglint. also the current
+# directory is the root of the installed package tree.
+
+#######################################################################
+# if the package contains any files in /usr/share/applications/, they
+# must be named *.desktop, must pass desktop-file-validate, and must
+# be mode 644, owner root:root.
+
+BADPERMS=""
+BADDESKTOP=""
+NONDESKTOP=""
+if [ -d usr/share/applications ]; then
+	# doinst.sh creates this, don't check here now that we have a doinst test.
+	#[ -e "usr/share/applications/mimeinfo.cache" ] || warn "doinst.sh is missing update-desktop-database"
+
+	for f in usr/share/applications/*; do
+		[ -e "$f" ] || continue
+
+		[ "$f" = "usr/share/applications/mimeinfo.cache" ] && continue
+
+		[ "$( stat -Lc '%a %U %G' "$f" )" = "644 root root" ] || BADPERMS+="$f "
+		case "$f" in
+			*.desktop) desktop-file-validate "$f" || BADDESKTOP+="$f " ;;
+			*) NONDESKTOP+="$f " ;;
+		esac
+	done
+
+	[ -n "$BADPERMS" ] && warn "bad permissions/owner on .desktop files (should be 0644 root:root):" && ls -ld $BADPERMS
+	[ -n "$BADDESKTOP" ] && warn ".desktop files fail to validate:" && ls -ld $BADDESKTOP
+	[ -n "$NONDESKTOP" ] && warn "unknown file (not .desktop) in desktop dir:" && ls -ld $NONDESKTOP
+fi
diff --git a/sbopkglint.d/40-newconfig.t.sh b/sbopkglint.d/40-newconfig.t.sh
new file mode 100644
index 0000000..ee0aec5
--- /dev/null
+++ b/sbopkglint.d/40-newconfig.t.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# sbopkglint test, must be sourced by sbopkglint (not run standalone).
+
+# PKG, PRGNAM, VERSION, ARCH are set by sbopkglint. also the current
+# directory is the root of the installed package tree.
+
+#######################################################################
+# check for .new config files. there shouldn't be any, because when
+# sbopkglint installed the package, it ran the doinst.sh, which
+# should have renamed them.
+
+NEWFILES=""
+for f in "$( find -type f -name \*.new )"; do
+	[ -z "$f" ] && continue
+	case "$f" in
+		./usr/doc/*) continue ;;
+	esac
+	NEWFILES+="$f "
+done
+
+[ -n "$NEWFILES" ] && warn "doinst.sh doesn't handle .new config files:" && ls -l $NEWFILES
diff --git a/sbopkglint.d/45-doinst.t.sh b/sbopkglint.d/45-doinst.t.sh
new file mode 100644
index 0000000..ae47c72
--- /dev/null
+++ b/sbopkglint.d/45-doinst.t.sh
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+# sbopkglint test, must be sourced by sbopkglint (not run standalone).
+
+# PKG, PRGNAM, VERSION, ARCH are set by sbopkglint. also the current
+# directory is the root of the installed package tree. This test
+# also uses the filename variable.
+
+#######################################################################
+# check the doinst.sh. its job is to generate various files by running
+# e.g. update-desktop-database, which creates a cache file. if the
+# cache file exists, and doinst.sh either doesn't exist, or doesn't
+# contain an update-desktop-database, that's very bad: it means
+# the cache file is actually included in the package. which means,
+# installing such a package would overwrite the user's local cache,
+# breaking his desktop, until he fixes it (either manually or giving
+# up and logging out or rebooting).
+
+doinst=var/lib/pkgtools/scripts/"$( echo $filename | sed 's,\.[^.]*$,,' )"
+
+have_doinst() {
+	[ -e "$doinst" ]
+	return $?
+}
+
+grep_doinst() {
+	have_doinst && grep -q "$@" $doinst
+	return $?
+}
+
+doinst_warn() {
+	local msg="doinst.sh is missing, package needs one, with"
+	have_doinst && msg="doinst.sh exists, but is missing"
+	warn "$msg $@"
+}
+
+doinst_chk_command() {
+	local cmd="$1"
+	grep_doinst "$cmd" || doinst_warn "$cmd"
+}
+
+[ "$( find -L usr/share/icons -type f 2>/dev/null )" != "" ] && \
+	doinst_chk_command "gtk-update-icon-cache"
+
+[ "$( find -L usr/share/applications -type f 2>/dev/null )" != "" ] && \
+	doinst_chk_command "update-desktop-database"
+
+[ "$( find -L usr/share/glib-2.0/schemas -type f 2>/dev/null )" != "" ] && \
+	doinst_chk_command "glib-compile-schemas"
+
+[ "$( find -L usr/share/fonts -type f 2>/dev/null )" != "" ] && \
+	doinst_chk_command "fc-cache"
+