Dne 19. 03. 21 v 19:07 Pavel Valena napsal(a):
----- Original Message -----
> From: "Jun Aruga" <jaruga(a)redhat.com>
> To: "Ruby SIG mailing list" <ruby-sig(a)lists.fedoraproject.org>
> Sent: Thursday, March 18, 2021 3:48:43 PM
> Subject: Ruby errors/warnings by rpmlint
>
> Hi,
> I checked the latest rawhide ruby ruby-3.0.0-146.fc35 by rpmlint, and
> I found some errors and warnings to fix.
>
> ## Summary
>
> I think the following 4 errors or warnings especially can be fixed.
>
> ```
> ruby.spec:20: E: use-of-RPM_SOURCE_DIR
> ruby-default-gems.noarch: W: summary-ended-with-dot C Default gems
> which are part of Ruby StdLib.
> ruby-libs.x86_64: E: missing-call-to-chdir-with-chroot
> /usr/lib64/libruby.so.3.0.0
> ruby-libs.x86_64: W: dangling-symlink /usr/share/ruby/io
> /usr/share/gems/gems/io-console-0.5.6/lib/io
> ```
>
> There are also other ones too.
>
> ## Steps to check by rpmlint
>
> ```
> $ rpm -q rpmlint
> rpmlint-1.11-15.fc33.noarch
>
> $ rpmlint ruby.spec /path/to/result/*.rpm >& lint.log
> $ rpmlint -i ruby.spec /path/to/result/*.rpm >& lint_detail.log
> ```
>
> ## Result
>
> ### 1.
>
> ruby.spec:20: E: use-of-RPM_SOURCE_DIR
> You use $RPM_SOURCE_DIR or %{_sourcedir} in your spec file. If you have to
> use
> a directory for building, use $RPM_BUILD_ROOT instead.
>
> =>
> The `%{_sourcedir}/%{ruby_archive}.tar.xz` can be replaced to
> `%{SOURCE0}`? I am not sure.
Yes, I think so.
~~~
$ fedpkg srpm
stat: cannot statx
'/home/vondruch/fedora-scm/own/ruby/%{name}-3.0.0-684649ea05.tar.xz': No
such file or directory
warning: Macro expanded in comment on line 20: %(stat --printf='@%Y'
%{_sourcedir}/%{ruby_archive}.tar.xz | date -f - +"%Y%m%d")
stat: cannot statx '%{SOURCE0}': No such file or directory
stat: cannot statx
'/home/vondruch/fedora-scm/own/ruby/%{name}-3.0.0-684649ea05.tar.xz': No
such file or directory
warning: Macro expanded in comment on line 20: %(stat --printf='@%Y'
%{_sourcedir}/%{ruby_archive}.tar.xz | date -f - +"%Y%m%d")
stat: cannot statx '%{SOURCE0}': No such file or directory
setting SOURCE_DATE_EPOCH=1614643200
Wrote:
/home/vondruch/fedora-scm/own/ruby/ruby-3.0.0-0.146.git684649ea05.fc35.src.rpm
~~~
The order in .spec file could be possibly different, but there would be
probably different issues. But I am open to suggestions.
> ### 2.
>
> ruby-default-gems.noarch: W: summary-ended-with-dot C Default gems
> which are part of Ruby StdLib.
> Summary ends with a dot.
>
> =>
> The summary ending dot needs to be removed.
Yes.
Good catch:
https://src.fedoraproject.org/rpms/ruby/c/dae90ef93d0f3eb43b09780368a236c...
> ### 3.
>
> ruby-libs.x86_64: E: missing-call-to-chdir-with-chroot
> /usr/lib64/libruby.so.3.0.0
> This executable appears to call chroot without using chdir to change the
> current directory. This is likely an error and permits an attacker to break
> out of the chroot by using fchdir. While that's not always a security issue,
> this has to be checked.
>
> =>
> Not sure when this error came.
This is probably inside some generic Ruby code. IMHO this is a false positive.
E.g.
https://www.rubydoc.info/stdlib/core/Dir.chroot
Very likely false positive. But feel free to investigate deeper.
> ### 5.
>
> ```
> ruby-default-gems.noarch: W: obsolete-not-provided rubygem-did_you_mean
> If a package is obsoleted by a compatible replacement, the obsoleted package
> should also be provided in order to not cause unnecessary dependency
> breakage.
> If the obsoleting package is not a compatible replacement for the old one,
> leave out the Provides.
>
> ruby-default-gems.noarch: W: obsolete-not-provided rubygem-openssl
> If a package is obsoleted by a compatible replacement, the obsoleted package
> should also be provided in order to not cause unnecessary dependency
> breakage.
> If the obsoleting package is not a compatible replacement for the old one,
> leave out the Provides.
>
> ruby-default-gems.noarch: W: obsolete-not-provided rubygem-racc
> If a package is obsoleted by a compatible replacement, the obsoleted package
> should also be provided in order to not cause unnecessary dependency
> breakage.
> If the obsoleting package is not a compatible replacement for the old one,
> leave out the Provides.
> ```
It think this should not be a warning, but a mere INFO. Note the 'IF'.
> =>
> The Provides line needs for the Obsolete line.
I don't think we want to create Provides for those, as those are "Default"
gems.
The Obsoletes/Provides are always tricky. I think these are fine as they
are.
>
> ### 6.
>
> ```
> rubygem-rbs.noarch: E: non-executable-script
> /usr/share/gems/gems/rbs-1.0.0/bin/annotate-with-rdoc 644 /usr/bin/env
> ruby
> This text file contains a shebang or is located in a path dedicated for
> executables, but lacks the executable bits and cannot thus be executed. If
> the file is meant to be an executable script, add the executable bits,
> otherwise remove the shebang or move the file elsewhere.
> ```
>
> This is the same for other files (total 8 files) under
> /usr/share/gems/gems/rbs-1.0.0/bin/.
This is low priority. I think it would be actually better, if upstream
have not shipped these files at all, because these are in fact
development dependencies. But feel free submit PR fixing these (by
adding the executable bits probably).
>
> ### 7.
>
> ```
> ruby-libs.x86_64: W: library-not-linked-against-libc
> /usr/lib64/ruby/continuation.so
> ruby-libs.x86_64: W: library-not-linked-against-libc
> /usr/lib64/ruby/enc/big5.so
> ...
> ```
>
> => I may remember this warning happened for 1 so file in Ruby 2.7 last
> year. Now I see it for the many so files.
Shouldn't be an issue, as it's linked against Ruby, right?
Likely false positive. There is a bit more detail here:
https://bugs.ruby-lang.org/issues/16558
> ### 8.
>
> non-executable-script errors.
>
> => Some parts are nice to fix.
>
>
> ## rpms/ruby CI to add rpmlint test.
>
> Can we check the rpmlint issues on an early timing: pull-request and push?
> I think adding the rpmlint check ro rpm/ruby CI is a possible way
> related to this ticket.
Yes, I agree we could add this for the CI (functional). I'm not sure some generic
checks aren't considered already for all PRs- I'll inquire abou it and follow up
with you on IRC.
>
https://src.fedoraproject.org/rpms/ruby/pull-request/67
> Shall we add it after the PR #67 will be merged?
The Zuul is running rpmlint on PR. You can check the PR you've
referenced above.
Vít