Last week, Adrian announced that the openSUSE Build Service uses the same build checks that the internal autobuild uses and that these have been enabled for builds of factory and for builds of packages against factory. This is an important step for building packages with the OBS since it means that a package that builds in the OBS, will not anymore fail once it has been submitted to build for factory.
We now have put all checks in packages so that they can be easily enhanced: brp-check-suse, rpmlint (the polices are in the rpmlint-Factory package) and post-build-checks. The rpmlint checks are run after the package has been built, the brp-check-suse scripts might be run during the build since they contain specific rpm macros and finally post-build-checks is executed at the end. The goal is to move everything to rpmlint checks.
These packages are some kind of automated QA: They check that the package follows the conventions that are used for openSUSE packages. So, a good practice is whoever changes a packaging policy that s/he create as well some checks that enforce the new policy. These checks might be initially warnings to make the transition easier and to see how many packages are affected – and will then later turned into errors. With the policies in rpmlint-Factory it’s easy possible to change the result of a check from warning to error – or ignore it completely.
Here’s a list of some of the checks that are used and the reasoning behind them:
- brp-boot-scripts: Simply check the init and boot scripts for LSB compliance
- brp-check-bytecode-version: Check that all Java files are compiled with Java 1.5 bytecode (or older)
- brp-check-pie: Check that certain binaries are compiled with -fpie to have position-independend code, this increases security for these programs.
- brp-rootfs: Check that binaries on the defined root filesystem (/bin and /sbin) are only linked against libraries that are also on the root filesystem (/lib and /lib64) but not on filesystems that can be remote (like /usr or /opt).
- check-file-list: Check that no invalid directories are used, e.g. /usr/X11R6
- check-gcc-output: Check for warnings by gcc that indicate errors, e.g. stack overflow, uninitialized variables, undefined behaviour.
- check-suid: Check that /etc/permissions is used and no package comes with any new suid binaries
- check-packaged-twice: Check that no file is more than one (sub-) package of the just build rpm.
If you notice any problems with these checks, you can just fix them yourself since they are in these packages – or file a bug in bugzilla against the base system.
Note that I was not involved in the implementation of these and therefore can only give a quick overview, thanks for implemention and driving this goes especially to Dirk Müller, Rüdiger Oertel, JP Rosevear, and Adrian Schröter.
Both comments and pings are currently closed.
