Check-Script: scripts Author: Richard Braakman Abbrev: scr Type: binary Info: This script checks the #! lines of scripts in a package. Needs-Info: unpacked, file-info, scripts, bin-pkg-control, index Tag: script-without-interpreter Severity: important Certainty: certain Info: This file starts with the #! sequence that identifies scripts, but it does not name an interpreter. Tag: example-script-without-interpreter Severity: wishlist Certainty: certain Info: This example file starts with the #! sequence that identifies scripts, but it does not name an interpreter. Tag: executable-not-elf-or-script Severity: normal Certainty: certain Info: This executable file is not an ELF format binary, and does not start with the #! sequence that marks interpreted scripts. It might be a sh script that fails to name /bin/sh as its shell, or it may be incorrectly marked as executable. Sometimes upstream files developed on Windows are marked unnecessarily as executable on other systems. . If you are using debhelper to build your package, running dh_fixperms will often correct this problem for you. Ref: policy 10.4 Tag: script-not-executable Severity: normal Certainty: certain Info: This file starts with the #! sequence that marks interpreted scripts, but it is not executable. Tag: interpreter-not-absolute Severity: normal Certainty: certain Info: This script uses a relative path to locate its interpreter. This path will be taken relative to the caller's current directory, not the script's, so it is not likely to be what was intended. Tag: example-interpreter-not-absolute Severity: wishlist Certainty: certain Info: This example script uses a relative path to locate its interpreter. This path will be taken relative to the caller's current directory, not the script's, so a user will probably not be able to run the example without modification. This tag can also be caused by script headers like #!@BASH@, which usually mean that the examples were copied out of the source tree before proper Autoconf path substitution. Tag: unusual-interpreter Severity: normal Certainty: possible Info: This package contains a script for an interpreter that the Lintian maintainers have not heard of. It could be a typo for a common interpreter. If not, please file a wishlist bug on lintian so that the Lintian maintainers can add this interpreter to their list. Tag: example-unusual-interpreter Severity: pedantic Certainty: possible Info: This package contains an example script for an interpreter that the Lintian maintainers have not heard of. It could be a typo for a common interpreter. Tag: script-uses-bin-env Severity: normal Certainty: certain Info: This script uses /bin/env as its interpreter (used to find the actual interpreter on the user's path). There is no /bin/env on Debian systems; env is instead installed as /usr/bin/env. Usually, the path to env in the script should be changed. Tag: example-script-uses-bin-env Severity: wishlist Certainty: certain Info: This example script uses /bin/env as its interpreter (used to find the actual interpreter on the user's path). There is no /bin/env on Debian systems; env is instead installed as /usr/bin/env. Usually, the path to env in the script should be changed. Tag: forbidden-config-interpreter Severity: important Certainty: certain Info: This package contains a config script for pre-configuring the package. During pre-configuration, however, only essential packages are guaranteed to be installed, so you cannot use a non-essential interpreter. Tag: forbidden-postrm-interpreter Severity: serious Certainty: certain Info: This package contains a postrm maintainer script that uses an interpreter that isn't essential. The purge action of postrm can only rely on essential packages, which means the interpreter used by postrm must be one of the essential ones (sh, bash, or perl). Ref: policy 7.2 Tag: unusual-control-interpreter Severity: minor Certainty: certain Info: This package contains a control script for an interpreter that is not normally used for control scripts. This is permissible but not recommended. It makes it harder for other developers to understand your package. Tag: unknown-control-interpreter Severity: important Certainty: possible Info: This package contains a maintainer script that uses an interpreter that the Lintian maintainers have not heard of. This is usually a typo for a common interpreter. If not, please file a wishlist bug on lintian so that the Lintian maintainers can add this interpreter to their list. Tag: interpreter-in-usr-local Severity: important Certainty: certain Info: This package contains a script that looks for an interpreter in a directory in /usr/local. Since Debian does not install anything in /usr/local, this is the wrong place to look. Tag: example-interpreter-in-usr-local Severity: pedantic Certainty: certain Info: This package contains an example script that looks for an interpreter in a directory in /usr/local. Since Debian does not install anything in /usr/local, the example script would probably need modifications before a user could run it. Tag: control-interpreter-in-usr-local Severity: serious Certainty: certain Info: A control script for this package references an interpreter in a directory in /usr/local. Control scripts must use interpreters provided by Debian packages, and Debian packages do not install anything in /usr/local. Tag: preinst-interpreter-without-predepends Severity: serious Certainty: certain Info: The package contains a preinst maintainer script that uses an unusual and non-essential interpreter but does not declare a pre-dependency on the package that provides this interpreter. . preinst scripts should be written using only essential interpreters to avoid additional dependency complexity. Please do not add a pre-dependency without following the policy for doing so (Policy section 3.5). Ref: policy 7.2 Tag: preinst-uses-dpkg-maintscript-helper-without-predepends Severity: pedantic Certainty: possible Info: The package contains a preinst maintainer script that uses dpkg-maintscript-helper but does not declare a versoned pre-dependency on dpkg (>= 1.15.7.2~) that provides that script. Tag: control-interpreter-without-depends Severity: serious Certainty: possible Info: The package contains a maintainer script that uses an unusual and non-essential interpreter but does not declare a dependency on the package that provides this interpreter. Ref: policy 7.2 Tag: missing-dep-for-interpreter Severity: important Certainty: possible Info: You used an interpreter for a script that is not in an essential package. In most cases, you will need to add a Dependency on the package that contains the interpreter. If the dependency is already present, please file a bug against Lintian with the details of your package so that its database can be updated. . In some cases a weaker relationship, such as Suggests or Recommends, will be more appropriate. Tag: csh-considered-harmful Severity: normal Certainty: certain Info: The Debian policy for scripts explicitly warns against using csh and tcsh as scripting languages. Ref: policy 10.4 Tag: wrong-path-for-interpreter Severity: important Certainty: certain Info: The interpreter you used is installed at another location on Debian systems. Tag: example-wrong-path-for-interpreter Severity: wishlist Certainty: certain Info: The interpreter used by this example script is installed at another location on Debian systems. Normally the path should be updated to match the Debian location. Tag: gawk-script-but-no-gawk-dep Severity: important Certainty: certain Info: Packages that use gawk scripts must depend on the gawk package. If they don't need gawk-specific features, and can just as easily work with mawk, then they should be awk scripts instead. . In some cases a weaker relationship, such as Suggests or Recommends, will be more appropriate. Tag: mawk-script-but-no-mawk-dep Severity: important Certainty: certain Info: Packages that use mawk scripts must depend on the mawk package. If they don't need mawk-specific features, and can just as easily work with gawk, then they should be awk scripts instead. . In some cases a weaker relationship, such as Suggests or Recommends, will be more appropriate. Tag: php-script-but-no-phpX-cli-dep Severity: important Certainty: certain Info: Packages with PHP scripts must depend on a phpX-cli package such as php5-cli. Note that a dependency on a php-cgi package (such as php5-cgi) is needlessly strict and forces the user to install a package that isn't needed. . In some cases a weaker relationship, such as Suggests or Recommends, will be more appropriate. . Lintian can only recognize phpX-cli dependencies for values of X that it knows are available in the archive. You will get this warning if you allow, as alternatives, versions of PHP that are so old they're not available in stable. The correct fix in those cases is probably to drop the old alternative. If this package depends on a newer php-cli package that Lintian doesn't know about, please file a bug against Lintian so that it can be updated. Tag: python-script-but-no-python-dep Severity: important Certainty: certain Info: Packages with Python scripts should depend on the package python. Those with scripts that specify a specific version of Python must depend on that version of Python (exactly). . For example, if a script in the package uses #!/usr/bin/python, the package needs a dependency on python. If a script uses #!/usr/bin/python2.6, the package needs a dependency on python2.6. A dependency on python (>= 2.6) is not correct, since later versions of Python may not provide the /usr/bin/python2.6 binary. . If you are using debhelper, adding ${python:Depends} to the Depends field and ensuring dh_pysupport or dh_pycentral are run during the build should take care of adding the correct dependency. . In some cases a weaker relationship, such as Suggests or Recommends, will be more appropriate. Tag: ruby-script-but-no-ruby-dep Severity: important Certainty: certain Info: Packages with Ruby scripts must depend on a valid Ruby interpreter. Those that have Ruby scripts that run under a specific version of Ruby need a dependency on the equivalent version of Ruby. . If a script in the package uses #!/usr/bin/ruby, the package needs a dependency on "ruby | ruby-interpreter". This allows users to choose which interpreter to use by default. If the package is intended to be used with a specific Ruby version, its scripts should use that version directly, such as #!/usr/bin/ruby1.8 . If a script uses #!/usr/bin/ruby1.9, then the package needs a dependency on "ruby1.9". . In some cases a weaker relationship, such as Suggests or Recommends, will be more appropriate. Tag: wish-script-but-no-wish-dep Severity: important Certainty: certain Info: Packages that include wish scripts must depend on the virtual package wish or, if they require a specific version of wish or tk, that version of tk. . In some cases a weaker relationship, such as Suggests or Recommends, will be more appropriate. Tag: tclsh-script-but-no-tclsh-dep Severity: important Certainty: certain Info: Packages that include tclsh scripts must depend on the virtual package tclsh or, if they require a specific version of tcl, that version of tcl. . In some cases a weaker relationship, such as Suggests or Recommends, will be more appropriate. Tag: shell-script-fails-syntax-check Severity: important Certainty: certain Info: Running this shell script with the shell's -n option set fails, which means that the script has syntax errors. The most common cause of this problem is a script expecting /bin/sh to be bash checked on a system using dash as /bin/sh. . Run e.g. sh -n yourscript to see the errors yourself. Tag: example-shell-script-fails-syntax-check Severity: pedantic Certainty: certain Info: Running this shell script with the shell's -n option set fails, which means that the script has syntax errors. The most common cause of this problem is a script expecting /bin/sh to be bash checked on a system using dash as /bin/sh. . Run e.g. sh -n yourscript to see the errors yourself. Tag: maintainer-shell-script-fails-syntax-check Severity: serious Certainty: certain Info: Running this shell script with the shell's -n option set fails, which means that the script has syntax errors. This will likely make the package uninstallable. . Run e.g. sh -n yourscript to see the errors yourself. Tag: possibly-insecure-handling-of-tmp-files-in-maintainer-script Severity: normal Certainty: possible Info: The maintainer script seems to access a file in /tmp or some other temporary directory. Since creating temporary files in a world-writable directory is very dangerous, this is likely to be a security bug. Use the tempfile or mktemp utilities to create temporary files in these directories. Ref: policy 10.4 Tag: killall-is-dangerous Severity: normal Certainty: possible Info: The maintainer script seems to call killall. Since this utility kills processes by name, it may well end up killing unrelated processes. Most uses of killall should use invoke-rc.d instead. Tag: mknod-in-maintainer-script Severity: serious Certainty: certain Ref: policy 10.6 Info: Maintainer scripts must not create device files directly. They should call MAKEDEV instead. . If mknod is being used to create a FIFO (named pipe), use mkfifo instead to avoid triggering this tag. Tag: start-stop-daemon-in-maintainer-script Severity: normal Certainty: certain Info: The maintainer script seems to call start-stop-daemon directly. Long-running daemons should be started and stopped via init scripts using invoke-rc.d rather than directly in maintainer scripts. Ref: policy 9.3.3.2 Tag: maintainer-script-removes-device-files Severity: serious Certainty: certain Ref: policy 10.6 Info: Maintainer scripts must not remove device files. This is left to the system administrator. Tag: read-in-maintainer-script Severity: serious Certainty: possible Ref: policy 3.9.1 Info: This maintainer script appears to use read to get information from the user. Prompting in maintainer scripts must be done by communicating through a program such as debconf which conforms to the Debian Configuration management specification, version 2 or higher. . This check can have false positives if read is used in a block with a redirection, in a function run in a pipe, or in other ways where standard input is provided in inobvious ways. If this is the case, please add an override for this tag. Tag: possible-bashism-in-maintainer-script Severity: normal Certainty: possible Ref: policy 10.4 Info: This script is marked as running under /bin/sh, but it seems to use a feature found in bash but not in the SUSv3 or POSIX shell specification. . Examples: '==' in a test, it should use '=' instead 'read' without a variable in the argument 'function' to define a function 'source' instead of '.' '. command args', passing arguments to commands via 'source' is not supported '{foo,bar}' instead of 'foo bar' '[[ test ]]' instead of '[ test ]' (requires a Korn shell) 'type' instead of 'which' or 'command -v' Tag: suidregister-used-in-maintainer-script Severity: important Certainty: certain Info: This script calls suidregister, a long-obsolete program that has been replaced by dpkg-statoverride. Tag: maintainer-script-needs-depends-on-update-inetd Severity: normal Certainty: certain Info: This script calls update-inetd, but the package does not depend or pre-depend on inet-superserver, any of the providers of inet-superserver which provide it, or update-inetd. . update-inetd has been moved from netbase into a separate package, so a dependency on netbase should be updated to depend on "openbsd-inetd | inet-superserver". Tag: maintainer-script-needs-depends-on-adduser Severity: normal Certainty: certain Info: This script calls adduser, but the package does not depend or pre-depend on the adduser package. Tag: maintainer-script-needs-depends-on-gconf2 Severity: normal Certainty: certain Info: This script calls gconf-schemas, which comes from the gconf2 package, but does not depend or pre-depend on gconf2. If you are using dh_gconf, add a dependency on ${misc:Depends} and dh_gconf will take care of this for you. Tag: maintainer-script-needs-depends-on-ucf Severity: normal Certainty: certain Info: This script calls ucf, but the package does not depend or pre-depend on the ucf package. Tag: maintainer-script-needs-depends-on-xml-core Severity: normal Certainty: certain Info: This script calls update-xmlcatalog, which comes from the xml-core package, but does not depend or pre-depend on xml-core. Packages that call update-xmlcatalog need to depend on xml-core. If you are using dh_installxmlcatalogs, add a dependency on ${misc:Depends} and dh_installxmlcatalogs will take care of this for you. Tag: update-alternatives-remove-called-in-postrm Severity: normal Certainty: certain Info: update-alternatives --remove <alternative> foo is called in the postrm. This can be dangerous because at the time the postrm is executed foo has already been deleted and update-alternatives will ignore it while constructing its list of available alternatives. Then, if the /etc/alternatives symlink points at foo, update-alternatives won't recognize it and will mark the symlink as something site-specific. As such, the symlink will no longer be updated automatically and will be left dangling until update-alternatives --auto <alternative> is run by hand. . update-alternatives --remove should be called in the prerm instead. Ref: policy F, update-alternatives(8) Tag: deprecated-chown-usage Severity: normal Certainty: certain Info: chown user.group is called in one of the maintainer scripts. The correct syntax is chown user:group. Using "." as a separator is still supported by the GNU tools, but it will fail as soon as a system uses the "." in user or group names. Ref: chown(1) Tag: maintainer-script-hides-init-failure Severity: normal Certainty: certain Info: This script calls invoke-rc.d to run an init script but then, if the init script fails, exits successfully (using || exit 0). If the init script fails, the maintainer script should probably fail. . The most likely cause of this problem is that the package was built with a debhelper version suffering from Bug#337664 that inserted incorrect invoke-rc.d code in the generated maintainer script. The package needs to be reuploaded (could be bin-NMUd, no source changes needed). Tag: maintainer-script-calls-init-script-directly Severity: serious Certainty: certain Info: This script apparently runs an init script directly rather than using invoke-rc.d. The use of invoke-rc.d to invoke the /etc/init.d/* initscripts instead of calling them directly is required. Maintainer scripts may call the init script directly only if invoke-rc.d is not available. Ref: policy 9.3.3.2 Tag: gconftool-used-in-maintainer-script Severity: normal Certainty: possible Info: This script apparently runs gconftool or gconftool-2. It should probably be calling gconf-schemas or update-gconf-defaults instead. Tag: fc-cache-used-in-maintainer-script Severity: normal Certainty: possible Info: This script apparently runs fc-cache. Updating of the fontconfig cache files is now handled automatically by triggers, so running fc-cache from maintainer scripts is no longer necessary. Tag: install-info-used-in-maintainer-script Severity: normal Certainty: possible Info: This script apparently runs install-info. Updating the /usr/share/info/dir file is now handled automatically by triggers, so running install-info from maintainer scripts is no longer necessary. . If debhelper generated the maintainer script fragment, rebuilding the package with debhelper 7.2.17 or later will fix this problem. Tag: maintainer-script-uses-dpkg-status-directly Severity: important Certainty: certain Info: The file /var/lib/dpkg/status is internal to dpkg, may disappear or change formats, and is not always a correct and complete record of installed packages while dpkg is running. Maintainer scripts should use dpkg-query instead. For the most common case of retrieving conffile information, use: . dpkg-query -W -f='${Conffiles}' <package> . instead. Ref: http://wiki.debian.org/DpkgConffileHandling Tag: maintainer-script-modifies-netbase-managed-file Severity: serious Certainty: certain Info: The maintainer script modifies at least one of the files /etc/services, /etc/protocols, and /etc/rpc, which are managed by the netbase package. Instead of doing this, please file a wishlist bug against netbase to have an appropriate entry added. Ref: policy 11.2 Tag: maintainer-script-modifies-inetd-conf Severity: serious Certainty: certain Info: The maintainer script modifies /etc/inetd.conf directly. This file must not be modified directly; instead, use the update-inetd script or the DebianNet.pm Perl module. Ref: policy 11.2 Tag: maintainer-script-modifies-ld-so-conf Severity: important Certainty: possible Info: This package appears to modify /etc/ld.so.conf and does not appear to be part of libc. Packages installing shared libraries in non-standard locations were previously permitted to modify /etc/ld.so.conf to add the non-standard path, but this permission was removed in Policy 3.8.3. . Packages containing shared libraries should either install them into /usr/lib or should require binaries built against them to set RPATH to find the library at run-time. Installing libraries in a different directory and modifying the run-time linker path is equivalent to installing them into /usr/lib except now conflicting library packages may cause random segfaults and difficult-to-debug problems instead of conflicts in the package manager. Tag: install-sgmlcatalog-deprecated Severity: important Certainty: certain Info: The maintainer script apparently runs install-sgmlcatalog with flags other than --quiet and --remove or in a maintainer script other than postinst or prerm. install-sgmlcatalog is deprecated and should only be used in postinst or prerm to remove the entries from earlier packages. Given how long ago this transition was, consider removing it entirely. Tag: maintainer-script-empty Severity: minor Certainty: certain Info: The maintainer script doesn't seem to contain any code other than comments and boilerplate (set -e, exit statements, and the case statement to parse options). While this is harmless in most cases, it is probably not what you wanted, may mean the package will leave unnecessary files behind until purged, and may even lead to problems in rare situations where dpkg would fail if no maintainer script was present. . If the package currently doesn't need to do anything in this maintainer script, it shouldn't be included in the package. Tag: maintainer-script-ignores-errors Severity: normal Certainty: certain Ref: policy 10.4 Info: The maintainer script doesn't seem to set the -e flag which ensures that the script's execution is aborted when any executed command fails. Tag: maintainer-script-without-set-e Severity: pedantic Certainty: certain Ref: policy 10.4 Info: The maintainer script passes -e to the shell on the #! line rather than using set -e in the body of the script. This is fine for normal operation, but if the script is run by hand with sh /path/to/script (common in debugging), -e will not be in effect. It's therefore better to use set -e in the body of the script. Tag: command-with-path-in-maintainer-script Severity: normal Certainty: certain Info: The indicated program run in a maintainer script has a prepended path. Programs called from maintainer scripts normally should not have a path prepended. dpkg ensures that the PATH is set to a reasonable value, and prepending a path may prevent the local administrator from using a replacement version of a command for some local reason. Ref: policy 6.1 Tag: ancient-dpkg-predepends-check Severity: minor Certainty: certain Info: The package calls dpkg --assert-support-predepends in a maintainer script. This check is obsolete and has always returned true since dpkg 1.1.0, released 1996-02-11. Tag: ancient-dpkg-epoch-check Severity: minor Certainty: certain Info: The package calls dpkg --assert-working-epoch in a maintainer script. This check is obsolete and has always returned true since dpkg 1.4.0.7, released 1997-01-25. Tag: ancient-dpkg-long-filenames-check Severity: minor Certainty: certain Info: The package calls dpkg --assert-long-filenames in a maintainer script. This check is obsolete and has always returned true since dpkg 1.4.1.17, released 1999-10-21. Tag: ancient-dpkg-multi-conrep-check Severity: minor Certainty: certain Info: The package calls dpkg --assert-multi-conrep in a maintainer script. This check is obsolete and has always returned true since dpkg 1.4.1.19, released 1999-10-30. Tag: package-uses-local-diversion Severity: serious Certainty: certain Ref: policy 3.9 Info: The maintainer script calls dpkg-divert with --local or without --package. This option is reserved for local administrators and must never be used by a Debian package. Tag: diversion-for-unknown-file Severity: important Certainty: certain Info: The maintainer script adds a diversion for a file that is not provided by this package. Tag: orphaned-diversion Severity: important Certainty: certain Info: A diversion was added for the file, but not removed. This means your package doesn't restore the previous state after removal. Tag: remove-of-unknown-diversion Severity: important Certainty: certain Info: The maintainer script removes a diversion that it didn't add. If you're cleaning up unnecessary diversions from older versions of the package, remove them in preinst or postinst instead of waiting for postrm to do it. Tag: script-uses-perl4-libs-without-dep Severity: normal Certainty: possible Info: This package includes perl scripts using obsoleted perl 4-era libraries. These libraries have been deprecated in perl in 5.14, and are likely to be removed from the core in perl 5.16. Please either remove references to these libraries, or add a dependency on libperl4-corelibs-perl | perl (<< 5.12.3-7) to this package.