Sources file audit - 2010-01-05

Radek Vokál radekvokal at gmail.com
Wed Jan 6 19:11:09 UTC 2010


Kevin, you claim the check is done against latest devel tree but I see 
few fairly archaic package versions .. like

rvokal:BADURL:wireshark-1.1.1.tar.gz:wireshark


Dne 6.1.2010 19:38, Kevin Fenzi napsal(a):
> Here's attached another run of my sources/patches url checker.
>
> This sourcecheck script takes a full checkout of all Fedora packages
> in the devel branch and runs 'spectool -g' on each spec file to download
> any sources that contain a valid URI. It then checks any downloaded
> source files against the 'sources' file and the checksum of the source
> in our lookaside cache.
>
> - There are 1612 lines in this run. Up from 932 last run.
>
> 700 sourcecheck-20070826.txt
> 620 sourcecheck-20070917.txt
> 561 sourcecheck-20071017.txt
> 775 sourcecheck-20080206.txt
> 685 sourcecheck-20080214.txt
> 674 sourcecheck-20080301.txt
> 666 sourcecheck-20080401.txt
> 660 sourcecheck-20080501.txt
> 642 sourcecheck-20080603.txt
> 649 sourcecheck-20080705.txt
> 662 sourcecheck-20080801.txt
> 912 sourcecheck-20081114.txt
> 884 sourcecheck-20090215.txt
> 1060 sourcecheck-20090810.txt
> 932 sourcecheck-20091101.txt
> 1612 sourcecheck-20100105.txt
>
> You can find the results file at:
>
> http://www.scrye.com/~kevin/fedora/sourcecheck/sourcecheck-20100105.txt
>
> And also attached to this mail.
>
> Additionally, I have the output from each packages 'spectool -g' run in:
> http://www.scrye.com/~kevin/fedora/sourcecheck/sourcecheck-20100105/<pkgname>-dl.txt
> So you can look at what my script got for trying to download your packages source.
> This should allow folks to see transitory network failures and the like.
>
> Lines in the output are of three forms:
>
> - BADURL:base-file-name:$PACKAGENAME
>
> This means that the URI provided in the Source(s) line didn't result in
> a download of the source. This could be any of: URL changed, version
> changed and URL wasn't updated, Site is down, Site is gone, etc.
> Also there are a number of packages with incorrect sourceforge links.
> (BTW, there are still some packages with ftp://people.redhat.com/
> URLs). This could also be a transitory network failure from my checking
> host or the project hosting.
>
> - BADSOURCE:$SOURCENAME:$PACKAGENAME
>
> This means that the source was downloaded ok from the upstream site,
> but doesn't match the md5sum given in the sources file.
> This could be due to needing to strip out content that fedora cannot
> ship (but in that case you shouldn't have the full URI in the Source
> line). Or upstream following poor release practices and updating
> without changing their release. Or tampering with the source
> package.
>
> - BAD_CVS_SOURCE:$SOURCENAME:$PACKAGENAME
>
> This means that the file was downloaded from the URI given, and the
> md5sum did not match the file thats present in CVS (not the lookaside).
> This might be due to timestamps, or any of the above reasons.
>
> You should fix your package(s) for any of the above problems.
>
> NOTE: You should check in a fixed spec file to the devel branch, but
> there is no need to rebuild your package simply this change unless
> there was a functional change due to different sources.
>
> kevin
> --
>




More information about the fedora-devel-list mailing list