This repository has been archived by the owner on Feb 5, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathrpmlint-config
272 lines (210 loc) · 10.9 KB
/
rpmlint-config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
# -*- python -*-
# Example configuration file for rpmlint.
# This line is mandatory to access the configuration functions
from Config import *
# Additional paths to look for checks.
# ------------------------------------
#addCheckDir("~/mandrake/rpmlint")
# Configure the checks if you don't want the default ones.
# --------------------------------------------------------
#addCheck("FHSCheck")
#addCheck("BinariesCheck")
# Configuration options used by the checks shipped with rpmlint.
# The values in the commented out setOption() calls represent default
# or typical example values for the option.
# -------------------------------------------------------------------
# Type: integer, default: -1 (less than 0 means disabled)
#setOption("BadnessThreshold", -1)
# When checking that various files that should be compressed are
# indeed compressed, look for this filename extension (no dot here).
# Type: string, default: "bz2"
#setOption("CompressExtension", "bz2")
# Exception list for dangling symlink checks. The first in each pair
# is a regexp, and the second the package in which the target of the
# dangling symlink is shipped.
# Type: tuple of lists, default: (['consolehelper$', 'usermode-consoleonly'])
#setOption("DanglingSymlinkExceptions", ())
# Value for the Distribution tag.
# Type: string, default: "" (the empty string disables checking)
#setOption("Distribution", "Red Hat")
# Base directory where to extract uninstalled packages while checking.
# Type: string, default: tempfile.gettempdir()
#setOption("ExtractDir", "/tmp")
# Standard "needs" values for non-XDG legacy menu items.
# Type: tuple of strings, default: ('gnome', 'icewm', 'kde', 'wmaker')
#setOption("ExtraMenuNeeds", ('gnome', 'icewm', 'kde', 'wmaker'))
# Words that must not exist in various tag values.
# Type: regexp, default: '' ('' effectively disables this check)
#setOption("ForbiddenWords", '')
# Exceptions for hardcoded library paths.
# Type: regexp, default: see DEFAULT_HARDCODED_LIB_PATH_EXCEPTIONS in SpecCheck
#setOption("HardcodedLibPathExceptions", '/lib/modules/')
# Accepted non-XDG legacy icon filenames.
# Type: regexp, default: '.*\.png$'
#setOption("IconFilename", '.*\.png$')
# Paths in which non-XDG legacy icons should be installed. The first
# item in the tuples is a filesystem path, and the second the icon type.
# Type: tuple of string tuples, default: see DEFAULT_ICON_PATH in MenuCheck
#setOption("IconPath", ())
# Disallowed dependencies.
# Type: tuple of regexps, default: see DEFAULT_INVALID_REQUIRES in TagsCheck
#setOption("InvalidRequires", ())
# Strings to disallow in various URL tags.
# Type: regexp, default: '' ('' effectively disables this check)
#setOption("InvalidURL", '')
# Whether to allow packaging kernel modules in non-kernel packages.
# Type: boolean, default: True
#setOption("KernelModuleRPMsOK", True)
# Maximum line length for summaries and descriptions.
# Type: integer, default: 79
setOption("MaxLineLength", 79)
# Type: tuple of string,tuple lists, default: see DEFAULT_LAUNCHERS in MenuCheck
#setOption("MenuLaunchers", ())
# Names of packages to treat as "meta" ones.
# Type: regexp, default: '^(bundle|task)-'
#setOption("MetaPackageRegexp", '^(bundle|task)-')
# Whether to enable checks that require networking.
# Type: boolean, default: False
setOption("NetworkEnabled", True)
# Timeout for network operations in seconds.
# Type: integer, default: 10
#setOption("NetworkTimeout", 10)
# Value for the Packager tag.
# Type: regexp, default: '' ('' effectively disables this check)
#setOption("Packager", '')
# Type: boolean, default: True
#setOption("PerlVersionTrick", True)
# Assumed default version of Python if one cannot be determined from files.
# Type: string, default: None
#setOption("PythonDefaultVersion", None)
# Expected suffix in Release tags.
# Type: regexp, default: '' ('' effectively disables this check)
#setOption("ReleaseExtension", 'coreos')
# Group tag for games.
# Type: regexp, default: 'Games'
#setOption("RpmGamesGroup", 'Games')
# Doc files to which end of line and UTF-8 checks should not be applied.
# Type: regexp, default: \.(?:rtf|x?html?|svg|ml[ily]?)$'
#setOption("SkipDocsRegexp", '\.(?:rtf|x?html?|svg|ml[ily]?)$')
# Standard OS groups.
# Type: tuple of strings, default: see DEFAULT_STANDARD_GROUPS in FilesCheck
setOption("StandardGroups", ('root', 'rkt', 'rkt-admin'))
# Standard OS users.
# Type: tuple of strings, see DEFAULT_STANDARD_USERS in FilesCheck
setOption("StandardUsers", ('root', 'rkt'))
# List of directory prefixes that are not allowed in packages
# Type: tuple of strings, see DEFAULT_DISALLOWED_DIRS in FilesCheck
#setOption("DisallowedDirs", ('/home', '/mnt'))
# List of directories considered to be system default library search paths.
# Type: tuple of strings, default: see DEFAULT_SYSTEM_LIB_PATHS in BinariesCheck
#setOption("SystemLibPaths", ('/lib', '/lib64', '/usr/lib', '/usr/lib64'))
# Executables that must be compiled as position independent.
# Type: regex, default: None
#setOption("PieExecutables", '^/bin/(ping6?|su)$')
# Whether to want default start/stop runlevels specified in init scripts.
# Type: boolean, default: True
#setOption("UseDefaultRunlevels", True)
# Whether to use the Enchant spell checker (if available) for spell checking.
# Type: boolean, default: True
setOption("UseEnchant", True)
# Whether an explicit Epoch should always be specified.
# Type: boolean, default: False
#setOption("UseEpoch", False)
# Whether jars should be indexed.
# Type: boolean, default: True
#setOption("UseIndexedJars", True)
# Whether symlinks between directories should be relative.
# Type: boolean, default: True
#setOption("UseRelativeSymlinks", True)
# Whether the UTF-8 character encoding should be used where applicable.
# Type: boolean, default: autodetected from environment
#setOption("UseUTF8", True)
# Whether %changelog entries should contain a version.
# Type: boolean, default: True
setOption("UseVersionInChangelog", True)
# Whether init scripts must use /var/lock/subsys
# Type: boolean, default: True
#setOption("UseVarLockSubsys", True)
# Architecture dependent paths in which packages are allowed to install files
# even if they are all non-binary.
# Type: regexp, default: see BinariesCheck
#setOption("UsrLibBinaryException", '^/usr/lib(64)?/(perl|python|ruby)')
# Value for the BuildHost tag.
# Type: regexp, default '' ('' effectively disables this check)
setOption("ValidBuildHost", '(.*).coreos.systems')
# Interpreters whose scriptlets are allowed to be empty.
# Type: tuple of strings, default: ('/sbin/ldconfig',)
#setOption("ValidEmptyShells", ('/sbin/ldconfig',))
# Values for the Group tag.
# Type: list of strings, default: extracted from GROUPS file shipped with rpm
#setOption("ValidGroups", ['rkt'])
# Values for the License tag.
# Type: tuple of strings, default: see DEFAULT_VALID_LICENSES in TagsCheck
setOption("ValidLicenses", ('ASL 2.0'))
# Values for non-XDG legacy menu item sections.
# Type: tuple of strings, default: see DEFAULT_VALID_SECTIONS in MenuCheck
#setOption("ValidMenuSections", ())
# Package scriptlet interpreters.
# Type: tuple of strings, default: see DEFAULT_VALID_SHELLS in PostCheck
#setOption("ValidShells", ('/bin/sh', '/bin/bash'))
# Permissions for files in source packages.
# Type: tuple of modes, default: (0644, 0755)
#setOption("ValidSrcPerms", (0644, 0755, 2750, 2770))
# Value for the Vendor tag.
# Type: string, default: "" ("" effectively disables this check)
#setOption("Vendor", "CoreOS")
# Man page warning category, passed to groff -w while checking man pages.
# See the groff(1) or troff(1) man pages for available categories.
# Type: string, default: 'mac'
#SetOption("ManWarningCategory", 'mac')
# Command and arguments to validate appdata files.
# Type: tuple of strings, default: see DEFAULT_APPDATA_CHECKER in AppDataCheck
#setOption("AppDataChecker", ('appstream-util', 'validate-relax'))
# Check if application performs calls to blacklisted methods
# the 'f_name' is the regexp for the blacklisted method
# 'good_param' is the optional parameter that will waive the result if this
# regexp matches output of `strings` from the binary file
# 'description' is the explanation of why the call is blacklisted
#bad_crypto_warning = \
#'''This application package calls a function to explicitly set crypto ciphers
#for SSL/TLS. That may cause the application not to use the system-wide set
#cryptographic policy and should be modified in accordance to:
#https://fedoraproject.org/wiki/Packaging:CryptoPolicies'''
#
#call_blacklist = {'crypto-policy-non-compliance-openssl' :
# {'f_name' : 'SSL_CTX_set_cipher_list',
# 'good_param' : '^PROFILE=SYSTEM$',
# 'description' : bad_crypto_warning},
# 'crypto-policy-non-compliance-gnutls-1' :
# {'f_name' : 'gnutls_priority_set_direct',
# 'good_param' : '^@SYSTEM$',
# 'description' : bad_crypto_warning},
# 'crypto-policy-non-compliance-gnutls-2' :
# {'f_name' : 'gnutls_priority_init',
# 'description' : bad_crypto_warning}
# }
#setOption("WarnOnFunction", call_blacklist)
# Output filters.
# ---------------
addFilter("E: zero-length /var/lib/rkt/cas/db/.34a8b4c1ad933745146fdbfef3073706ee571625")
addFilter("E: zero-length /var/lib/rkt/cas/db/ql.db")
addFilter("E: non-readable /var/lib/rkt/cas/db(/.*)? 0?660L?")
addFilter("E: non-standard-dir-perm /etc/rkt(/.*)? 0?775L?")
addFilter("E: non-standard-dir-perm /var/lib/rkt(/.*)? 0?2750L?")
addFilter("E: non-standard-dir-perm /var/lib/rkt/cas(/.*)? 0?2770L?")
addFilter("E: non-standard-dir-perm /var/lib/rkt/cas/tree(storelocks)? 0?700L?")
addFilter("E: non-readable /etc/kubernetes/kube.version 0")
addFilter("E: non-readable /etc/kubernetes/kubeconfig 0")
addFilter("E: hardcoded-library-path in %{_prefix}/lib/")
addFilter("W: hidden-file-or-dir /var/lib/rkt/cas/db/.34a8b4c1ad933745146fdbfef3073706ee571625")
addFilter("W: conffile-without-noreplace-flag /etc/kubernetes/kube.version")
addFilter("W: conffile-without-noreplace-flag /etc/kubernetes/kubeconfig")
addFilter("W: conffile-without-noreplace-flag /etc/kubernetes/kubelet.env")
# The other /etc/*-release files do not use noreplace either.
addFilter("tectonic-release.noarch: W: conffile-without-noreplace-flag /etc/tectonic-release")
# There is no documentation in fedora-release.
addFilter("tectonic-release.noarch: W: no-documentation")
# The other RPM GPG keys are not marked as configuration files either.
addFilter("tectonic-release.noarch: W: non-conffile-in-etc /etc/pki/rpm-gpg/RPM-GPG-KEY-Tectonic")
# The Quay key is named after its fingerprint. It shouldn't be modified.
addFilter("tectonic-worker.noarch: W: conffile-without-noreplace-flag /etc/rkt/trustedkeys/prefix.d/quay.io/bff313cdaa560b16a8987b8f72abf5f6799d33bc")