Source file audit - 2013-11-17

"Germán A. Racca" german.racca at gmail.com
Wed Nov 20 08:58:39 UTC 2013


On 11/18/2013 01:54 PM, Kevin Fenzi wrote:
> Here's attached another run of my sources/patches url checker.
> Please fix any packages you are responsible for in rawhide, and other
> branches as other changes permit.
>
> - This run was done on a Fedora 20 instance, so hopefully many of the
>    false positives due to old tools from the last run are gone.
>
> - I didn't explicitly mention it last time, but you can find the output
>    of the script for your package at:
>
> http://www.scrye.com/~kevin/fedora/sourcecheck-20131117/$packagename-dl.txt
>
> This should help determine what the script saw that caused it to list
> your package.
>
> - The script simply checks has a checkout of your package and runs
>    'spectool -g packagename.spec' on it. Then it checks the md5sum of
>    anything in sources file against those downloaded sources.
>
> - There are 1870 lines in this run. Down from 3067 last run.
> (Likely due to reducing false positives due to old spectool)
>
>     700 sourcecheck-20070826.txt
>     620 sourcecheck-20070917.txt
>     561 sourcecheck-20071017.txt
>     775 sourcecheck-20080206.txt
>     685 sourcecheck-20080214.txt
>     674 sourcecheck-20080301.txt
>     666 sourcecheck-20080401.txt
>     660 sourcecheck-20080501.txt
>     642 sourcecheck-20080603.txt
>     649 sourcecheck-20080705.txt
>     662 sourcecheck-20080801.txt
>     912 sourcecheck-20081114.txt
>     884 sourcecheck-20090215.txt
>    1060 sourcecheck-20090810.txt
>     932 sourcecheck-20091101.txt
>     932 sourcecheck-20091104.txt
>    1612 sourcecheck-20100105.txt
>    1391 sourcecheck-20100106.txt
>    1007 sourcecheck-20100531.txt
>    3067 sourcecheck-20130930.txt
>    1870 sourcecheck-20131117.txt
>
> You can find the results file at:
>
> http://www.scrye.com/~kevin/fedora/sourcecheck/sourcecheck-20131117.txt
>
> And also attached to this mail.
>
> Lines in the output are of three forms:
>
> - BADURL:base-file-name:$PACKAGENAME
>
> This means that the URI provided in the Source(s) line didn't result in
> a download of the source. This could be any of: URL changed, version
> changed and URL wasn't updated, Site is down, Site is gone, etc.
> Also there are a number of packages with incorrect sourceforge links.
> (BTW, there are still some packages with ftp://people.redhat.com/
> URLs).
>
> - BADSOURCE:$SOURCENAME:$PACKAGENAME
>
> This means that the source was downloaded ok from the upstream site,
> but doesn't match the md5sum given in the sources file.
> This could be due to needing to strip out content that fedora cannot
> ship (but in that case you shouldn't have the full URI in the Source
> line). Or upstream following poor release practices and updating
> without changing their release.
>
> - BAD_CVS_SOURCE:$SOURCENAME:$PACKAGENAME
>
> This means that the file was downloaded from the URI given, and the
> md5sum did not match the file thats present in git (not the lookaside).
> This might be due to timestamps, or any of the above reasons.
>
> kevin
> --

Hi Kevin,

What should I do with this [*]? Report upstream?
I can successfully download the tarball from Firefox, but using spectool 
gives that error.

Thanks,
Germán.

[*]
Getting http://www.pekwm.org/projects/pekwm/files/pekwm-0.1.17.tar.bz2 
to ./pekwm-0.1.17.tar.bz2
   % Total    % Received % Xferd  Average Speed   Time    Time     Time 
  Current
                                  Dload  Upload   Total   Spent    Left 
  Speed

   0     0    0     0    0     0      0      0 --:--:-- --:--:-- 
--:--:--     0
100   160  100   160    0     0    196      0 --:--:-- --:--:-- --:--:-- 
   196
100   160  100   160    0     0    196      0 --:--:-- --:--:-- --:--:-- 
   196
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
  of Certificate Authority (CA) public keys (CA certs). If the default
  bundle file isn't adequate, you can specify an alternate file
  using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
  the bundle, the certificate verification probably failed due to a
  problem with the certificate (it might be expired, or the name might
  not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
  the -k (or --insecure) option.

-- 
Germán A. Racca
Fedora Package Maintainer
https://fedoraproject.org/wiki/User:Skytux


More information about the devel mailing list