plank lintian issues

Fri Jun 10 20:14:57 UTC 2016

Hi Rico,

W: plank source: out-of-date-standards-version 3.9.7 (current is 3.9.8)
N:
N:    The source package refers to a Standards-Version older than the one that
N:    was current at the time the package was created (according to the
N:    timestamp of the latest debian/changelog entry). Please consider
N:    updating the package to current Policy and setting this control field
N:    appropriately.
N:
N:    If the package is already compliant with the current standards, you
N:    don't have to re-upload the package just to adjust the Standards-Version
N:    control field. However, please remember to update this field next time
N:    you upload the package.
N:
N:    See /usr/share/doc/debian-policy/upgrading-checklist.txt.gz in the
N:    debian-policy package for a summary of changes in newer versions of
N:    Policy.
N:
N:    Refer to https://www.debian.org/doc/debian-policy/upgrading-checklist
N:    for details.
N:
N:    Severity: normal, Certainty: certain
N:
N:    Check: standards-version, Type: source

-> fixed & pushed.

X: plank source: maybe-not-arch-all-binnmuable libplank1 -> libplank-common
N:
N:    Tag to attempt to measure the number of packages that might have an
N:    issue with arch:all binNMUs.
N:
N:    At this time, please do <not> attempt to "fix" the problem. It is not
N:    clear what the solution is (if any at all). Nor is it clear that this is
N:    something that will be supported.
N:
N:    Severity: wishlist, Certainty: possible
N:
N:    Check: version-substvars, Type: source
N:
N:    This tag is marked experimental, which means that the code that
N:    generates it is not as well-tested as the rest of Lintian and might
N:    still give surprising results. Feel free to ignore experimental tags
N:    that do not seem to make sense, though of course bug reports are always
N:    welcome.

nothing to do...

P: plank source: debian-watch-may-check-gpg-signature
N:
N:    This watch file does not include a means to verify the upstream tarball
N:    using cryptographic signature.
N:
N:    If upstream distributions provide such signatures, please use the
N:    pgpsigurlmangle options in this watch file's opts= to generate the URL
N:    of an upstream GPG signature. This signature is automatically downloaded
N:    and verified against a keyring stored in
N:    debian/upstream/signing-key.asc.
N:
N:    Of course, not all upstreams provide such signatures, but you could
N:    request them as a way of verifying that no third party has modified the
N:    code against their wishes after the release. Projects such as
N:    phpmyadmin, unrealircd, and proftpd have suffered from this kind of
N:    attack.
N:
N:    Refer to the uscan(1) manual page for details.
N:
N:    Severity: pedantic, Certainty: certain
N:
N:    Check: watch-file, Type: source

nothing to do...

I: libplank1: spelling-error-in-binary  
usr/lib/x86_64-linux-gnu/libplank.so.1.0.0 Initalizing Initializing
N:
N:    Lintian found a spelling error in the given binary. Lintian has a list
N:    of common misspellings that it looks for. It does not have a dictionary
N:    like a spelling checker does.
N:
N:    If the string containing the spelling error is translated with the help
N:    of gettext or a similar tool, please fix the error in the translations
N:    as well as the English text to avoid making the translations fuzzy. With
N:    gettext, for example, this means you should also fix the spelling
N:    mistake in the corresponding msgids in the *.po files.
N:
N:    You can often find the word in the source code by running:
N:
N:     grep -rw <word> <source-tree>
N:
N:    This tag may produce false positives for words that contain non-ASCII
N:    characters due to limitations in strings.
N:
N:    Severity: minor, Certainty: wild-guess
N:
N:    Check: binaries, Type: binary, udeb

please fix upstream!

I: libplank1: hardening-no-bindnow usr/lib/x86_64-linux-gnu/libplank.so.1.0.0
N:
N:    This package provides an ELF binary that lacks the "bindnow" linker
N:    flag.
N:
N:    If the ELF binary does not rely on late binding of symbols (e.g. weak
N:    symbols), then please consider enabling this feature. Otherwise, please
N:    consider overriding the tag (possibly with a comment about why).
N:
N:    If you use dpkg-buildflags, you may have to add hardening=+bindnow or
N:    hardening=+all to DEB_BUILD_MAINT_OPTIONS.
N:
N:    The relevant compiler flags are set in LDFLAGS.
N:
N:    Refer to https://wiki.debian.org/Hardening for details.
N:
N:    Severity: wishlist, Certainty: certain
N:
N:    Check: binaries, Type: binary, udeb

please fix in Git on Alioth (see here [1] for how to do).

I: libplank1: no-symbols-control-file  
usr/lib/x86_64-linux-gnu/libplank.so.1.0.0
N:
N:    Although the package includes a shared library, the package does not
N:    have a symbols control file.
N:
N:    dpkg can use symbols files in order to generate more accurate library
N:    dependencies for applications, based on the symbols from the library
N:    that are actually used by the application.
N:
N:    Refer to the dpkg-gensymbols(1) manual page and
N:    https://wiki.debian.org/UsingSymbolsFiles for details.
N:
N:    Severity: wishlist, Certainty: certain
N:
N:    Check: shared-libs, Type: binary, udeb
N

How feasible is it to provide symbol files for Vala generated C code?

I: plank: hardening-no-pie usr/bin/plank
N:
N:    This package provides an ELF executable that was not compiled as a
N:    position independent executable (PIE).
N:
N:    PIE is required for fully enabling Address Space Layout Randomization
N:    (ASLR), which makes "Return-oriented" attacks more difficult.
N:
N:    Historically, PIE has been associated with noticeable performance
N:    overhead on i386. However, GCC-5 has implemented an optimization that
N:    can reduce the overhead significantly.
N:
N:    If you use dpkg-buildflags, you may have to add hardening=+pie or
N:    hardening=+all to DEB_BUILD_MAINT_OPTIONS.
N:
N:    The relevant compiler flags must be passed both to the compiler and the
N:    linker (e.g. for C that would be commonly be CFLAGS and LDFLAGS).
N:
N:    CAVEAT: Please keep in mind that the PIE flag (-fPIE) is not suitable
N:    for all cases:
N:
N:     * It is <not> compatible with -fPIC which required for
N:       compiling shared libraries.
N:     * It is unlikely to work when compiling static libraries or
N:       executables (gcc -static).
N:
N:    If your upstream build compiles either of the above, you may have to
N:    patch the build to ensure that only ELF executables are compiled with
N:    PIE.
N:
N:    Refer to https://wiki.debian.org/Hardening,
N:    https://gcc.gnu.org/gcc-5/changes.html, and
N:     
https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode
N:    for details.
N:
N:    Severity: wishlist, Certainty: certain
N:
N:    Check: binaries, Type: binary, udeb
N:
I: plank: hardening-no-bindnow usr/bin/plank
I: plank: hardening-no-bindnow  
usr/lib/x86_64-linux-gnu/plank/docklets/libdocklet-clippy.so
I: plank: hardening-no-bindnow  
usr/lib/x86_64-linux-gnu/plank/docklets/libdocklet-clock.so
I: plank: hardening-no-bindnow ... use --no-tag-display-limit to see  
all (or pipe to a file/program)

Also see [1] for hardening howto.

Thanks,
Mike

[1]  
http://anonscm.debian.org/cgit/pkg-mate/caja.git/commit/?id=49547d7d17c056a478929d589942ee4253bb7e45

http://anonscm.debian.org/cgit/pkg-mate/caja.git/commit/?id=92720736bb020d9aaf9c7aecef9520ca2d3d401f
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.alioth.debian.org/pipermail/pkg-mate-team/attachments/20160610/99a24bd1/attachment.sig>