Ruby errors/warnings by rpmlint

Discussion:

Pavel Valena

4 years ago

----- Original Message -----

Sent: Thursday, March 18, 2021 3:48:43 PM
Subject: Ruby errors/warnings by rpmlint
Hi,
I checked the latest rawhide ruby ruby-3.0.0-146.fc35 by rpmlint, and
I found some errors and warnings to fix.
## Summary
I think the following 4 errors or warnings especially can be fixed.
```
ruby.spec:20: E: use-of-RPM_SOURCE_DIR
ruby-default-gems.noarch: W: summary-ended-with-dot C Default gems
which are part of Ruby StdLib.
ruby-libs.x86_64: E: missing-call-to-chdir-with-chroot
/usr/lib64/libruby.so.3.0.0
ruby-libs.x86_64: W: dangling-symlink /usr/share/ruby/io
/usr/share/gems/gems/io-console-0.5.6/lib/io
```
There are also other ones too.
## Steps to check by rpmlint
```
$ rpm -q rpmlint
rpmlint-1.11-15.fc33.noarch
$ rpmlint ruby.spec /path/to/result/*.rpm >& lint.log
$ rpmlint -i ruby.spec /path/to/result/*.rpm >& lint_detail.log
```
## Result
### 1.
ruby.spec:20: E: use-of-RPM_SOURCE_DIR
You use $RPM_SOURCE_DIR or %{_sourcedir} in your spec file. If you have to
use
a directory for building, use $RPM_BUILD_ROOT instead.
=>
The `%{_sourcedir}/%{ruby_archive}.tar.xz` can be replaced to
`%{SOURCE0}`? I am not sure.

...

Yes, I think so.

### 2.
ruby-default-gems.noarch: W: summary-ended-with-dot C Default gems
which are part of Ruby StdLib.
Summary ends with a dot.
=>
The summary ending dot needs to be removed.

Yes.

### 3.
ruby-libs.x86_64: E: missing-call-to-chdir-with-chroot
/usr/lib64/libruby.so.3.0.0
This executable appears to call chroot without using chdir to change the
current directory. This is likely an error and permits an attacker to break
out of the chroot by using fchdir. While that's not always a security issue,
this has to be checked.
=>
Not sure when this error came.

This is probably inside some generic Ruby code. IMHO this is a false positive.

E.g. https://www.rubydoc.info/stdlib/core/Dir.chroot

### 4.
ruby-libs.x86_64: W: dangling-symlink /usr/share/ruby/io
/usr/share/gems/gems/io-console-0.5.6/lib/io
The target of the symbolic link does not exist within this package or its
file
based dependencies. Verify spelling of the link target and that the target
is
included in a package in this package's dependency chain.
=>
This warning was a hint to find "another issue" to fix.
The issue is the directory entry `%{ruby_libdir}/io` is duplicated
between ruby-libs and rubygem-io-console RPM in ruby.spec.
Maybe the directory entry in ruby-libs should be removed like this.
```
@@ -942,6 +942,7 @@ MSPECOPTS=""
# Platform independent libraries.
%dir %{ruby_libdir}
%exclude %{ruby_libdir}/bigdecimal*
+%exclude %{ruby_libdir}/io
%exclude %{ruby_libdir}/irb*
%exclude %{ruby_libdir}/json*
%exclude %{ruby_libdir}/psych*
@@ -964,7 +965,6 @@ MSPECOPTS=""
%{ruby_libdir}/find.rb
%{ruby_libdir}/forwardable*
%{ruby_libdir}/getoptlong*
-%{ruby_libdir}/io
%{ruby_libdir}/ipaddr.rb
%{ruby_libdir}/kconv.rb
%{ruby_libdir}/logger*
```

...

Well, maybe. Vit has probably more insight.

### 5.
```
ruby-default-gems.noarch: W: obsolete-not-provided rubygem-did_you_mean
If a package is obsoleted by a compatible replacement, the obsoleted package
should also be provided in order to not cause unnecessary dependency
breakage.
If the obsoleting package is not a compatible replacement for the old one,
leave out the Provides.
ruby-default-gems.noarch: W: obsolete-not-provided rubygem-openssl
If a package is obsoleted by a compatible replacement, the obsoleted package
should also be provided in order to not cause unnecessary dependency
breakage.
If the obsoleting package is not a compatible replacement for the old one,
leave out the Provides.
ruby-default-gems.noarch: W: obsolete-not-provided rubygem-racc
If a package is obsoleted by a compatible replacement, the obsoleted package
should also be provided in order to not cause unnecessary dependency
breakage.
If the obsoleting package is not a compatible replacement for the old one,
leave out the Provides.
```

...

It think this should not be a warning, but a mere INFO. Note the 'IF'.

=>
The Provides line needs for the Obsolete line.

I don't think we want to create Provides for those, as those are "Default" gems.

### 6.
```
rubygem-rbs.noarch: E: non-executable-script
/usr/share/gems/gems/rbs-1.0.0/bin/annotate-with-rdoc 644 /usr/bin/env
ruby
This text file contains a shebang or is located in a path dedicated for
executables, but lacks the executable bits and cannot thus be executed. If
the file is meant to be an executable script, add the executable bits,
otherwise remove the shebang or move the file elsewhere.
```
This is the same for other files (total 8 files) under
/usr/share/gems/gems/rbs-1.0.0/bin/.
### 7.
```
ruby-libs.x86_64: W: library-not-linked-against-libc
/usr/lib64/ruby/continuation.so
ruby-libs.x86_64: W: library-not-linked-against-libc
/usr/lib64/ruby/enc/big5.so
...
```
=> I may remember this warning happened for 1 so file in Ruby 2.7 last
year. Now I see it for the many so files.

...

Shouldn't be an issue, as it's linked against Ruby, right?

### 8.
non-executable-script errors.
=> Some parts are nice to fix.
## rpms/ruby CI to add rpmlint test.
Can we check the rpmlint issues on an early timing: pull-request and push?
I think adding the rpmlint check ro rpm/ruby CI is a possible way
related to this ticket.

Yes, I agree we could add this for the CI (functional). I'm not sure some generic checks aren't considered already for all PRs- I'll inquire abou it and follow up with you on IRC.

https://src.fedoraproject.org/rpms/ruby/pull-request/67
Shall we add it after the PR #67 will be merged?
--
Jun | He - His - Him

Regards,
--
Pavel Valena
Software Engineer, Red Hat
Brno, Czech Republic
_______________________________________________
ruby-sig mailing list -- ruby-***@lists.fedoraproject.org
To unsubscribe send an email to ruby-sig-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/ruby-***@lists.fedoraproject.org
Do not reply to spam on the list, report

Jun Aruga

4 years ago

Permalink

...

For this issue, I actually found it by the following way.

```
$ rpm2cpio ruby-libs-3.0.0-146.fc35.x86_64.rpm | cpio -idmv

$ rpm2cpio rubygem-io-console-0.5.6-146.fc35.x86_64.rpm | cpio -idmv
...
cpio: ./usr/share/ruby/io not created: newer or same age version exists
...
```

The duplicated entry is only this entry. I checked it by the following script.

```
$ cat unpack.sh
#!/bin/bash

set -ex

for RPM_FILE in *.rpm; do
rpm2cpio "${RPM_FILE}" | cpio -idmv
done
```

I opened the ticket for rpmlint to ask them to implement to detect the
duplicated entries here.
https://github.com/rpm-software-management/rpmlint/issues/613

What do you think about these errors/warnings I reported on the email?
I am happy to send PR to fix it.

--
Jun | He - His - Him
_______________________________________________
ruby-sig mailing list -- ruby-***@lists.fedoraproject.org
To unsubscribe send an email to ruby-sig-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/ruby-***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructu

Jun Aruga

4 years ago

Permalink

Pavel, thanks for your comment.
I will comment later.

Now I just inform you that I sent PR related to the 2 warnings in the
errors/warnings I mentioned.
https://src.fedoraproject.org/rpms/ruby/pull-request/78

--
Jun | He - His - Him
_______________________________________________
ruby-sig mailing list -- ruby-***@lists.fedoraproject.org
To unsubscribe send an email to ruby-sig-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/ruby-***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedo