source audit

Kevin Fenzi kevin at scrye.com
Wed Aug 22 04:30:57 UTC 2007 

Since folks are checking over their packages for the correct license
tags and rebuilding for various other reasons, I thought I would add
another one to the mix. ;) 

I wrote up a quick and dirty script to check the sources that are in
the cvs look aside cache against the upstream source of the package as
pulled from the URI(s) in the Sources line(s). 

Of course this has a number of limitations: 

- Only Sources lines with full URI's can be checked. 
- I'm not currently checking Patches with full URI's, but I can add
that if there is interest. 

You can find the results file at: 

http://www.scrye.com/~kevin/fedora/sourcecheck/sourcecheck.out

And also attached to this mail. 

Lines in the output are of three forms: 

- BADURL:base-file-name:$PACKAGENAME

This means that the URI provided in the Source(s) line didn't result in
a download of the source. This could be any of: URL changed, version
changed and URL wasn't updated, Site is down, Site is gone, etc. 
Also there are a number of packages with incorrect sourceforge links. 
(BTW, there are still some packages with ftp://people.redhat.com/
URLs). 

- BADSOURCE:$SOURCENAME:$PACKAGENAME

This means that the source was downloaded ok from the upstream site,
but doesn't match the md5sum given in the sources file. 
This could be due to needing to strip out content that fedora cannot
ship (but in that case you shouldn't have the full URI in the Source
line). Or upstream following poor release practices and updating
without changing their release.

- BAD_CVS_SOURCE:$SOURCENAME:$PACKAGENAME

This means that the file was downloaded from the URI given, and the
md5sum did not match the file thats present in CVS (not the lookaside).
This might be due to timestamps, or any of the above reasons. 

Needless to say, I think all of these cases should be fixed. 

Does anyone find this useful? Should I run it on a periodic basis? 
Shall I file bugs or spam owners after some period of time?

Comments, bugs, suggestions? 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sourcecheck.out
Type: application/octet-stream
Size: 26349 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20070821/8f8ed365/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20070821/8f8ed365/attachment-0002.bin

More information about the devel mailing list