Source file audit - 2013-11-17
"Germán A. Racca"
german.racca at gmail.com
Wed Nov 20 08:58:39 UTC 2013
On 11/18/2013 01:54 PM, Kevin Fenzi wrote:
> Here's attached another run of my sources/patches url checker.
> Please fix any packages you are responsible for in rawhide, and other
> branches as other changes permit.
>
> - This run was done on a Fedora 20 instance, so hopefully many of the
> false positives due to old tools from the last run are gone.
>
> - I didn't explicitly mention it last time, but you can find the output
> of the script for your package at:
>
> http://www.scrye.com/~kevin/fedora/sourcecheck-20131117/$packagename-dl.txt
>
> This should help determine what the script saw that caused it to list
> your package.
>
> - The script simply checks has a checkout of your package and runs
> 'spectool -g packagename.spec' on it. Then it checks the md5sum of
> anything in sources file against those downloaded sources.
>
> - There are 1870 lines in this run. Down from 3067 last run.
> (Likely due to reducing false positives due to old spectool)
>
> 700 sourcecheck-20070826.txt
> 620 sourcecheck-20070917.txt
> 561 sourcecheck-20071017.txt
> 775 sourcecheck-20080206.txt
> 685 sourcecheck-20080214.txt
> 674 sourcecheck-20080301.txt
> 666 sourcecheck-20080401.txt
> 660 sourcecheck-20080501.txt
> 642 sourcecheck-20080603.txt
> 649 sourcecheck-20080705.txt
> 662 sourcecheck-20080801.txt
> 912 sourcecheck-20081114.txt
> 884 sourcecheck-20090215.txt
> 1060 sourcecheck-20090810.txt
> 932 sourcecheck-20091101.txt
> 932 sourcecheck-20091104.txt
> 1612 sourcecheck-20100105.txt
> 1391 sourcecheck-20100106.txt
> 1007 sourcecheck-20100531.txt
> 3067 sourcecheck-20130930.txt
> 1870 sourcecheck-20131117.txt
>
> You can find the results file at:
>
> http://www.scrye.com/~kevin/fedora/sourcecheck/sourcecheck-20131117.txt
>
> And also attached to this mail.
>
> Lines in the output are of three forms:
>
> - BADURL:base-file-name:$PACKAGENAME
>
> This means that the URI provided in the Source(s) line didn't result in
> a download of the source. This could be any of: URL changed, version
> changed and URL wasn't updated, Site is down, Site is gone, etc.
> Also there are a number of packages with incorrect sourceforge links.
> (BTW, there are still some packages with ftp://people.redhat.com/
> URLs).
>
> - BADSOURCE:$SOURCENAME:$PACKAGENAME
>
> This means that the source was downloaded ok from the upstream site,
> but doesn't match the md5sum given in the sources file.
> This could be due to needing to strip out content that fedora cannot
> ship (but in that case you shouldn't have the full URI in the Source
> line). Or upstream following poor release practices and updating
> without changing their release.
>
> - BAD_CVS_SOURCE:$SOURCENAME:$PACKAGENAME
>
> This means that the file was downloaded from the URI given, and the
> md5sum did not match the file thats present in git (not the lookaside).
> This might be due to timestamps, or any of the above reasons.
>
> kevin
> --
Hi Kevin,
What should I do with this [*]? Report upstream?
I can successfully download the tarball from Firefox, but using spectool
gives that error.
Thanks,
Germán.
[*]
Getting http://www.pekwm.org/projects/pekwm/files/pekwm-0.1.17.tar.bz2
to ./pekwm-0.1.17.tar.bz2
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0
100 160 100 160 0 0 196 0 --:--:-- --:--:-- --:--:--
196
100 160 100 160 0 0 196 0 --:--:-- --:--:-- --:--:--
196
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
--
Germán A. Racca
Fedora Package Maintainer
https://fedoraproject.org/wiki/User:Skytux
More information about the devel
mailing list