ruby/ruby.rpmlintrc

# Keep matching patterns enough not to hide unintended errors and warnings.

# There is no way to implement this with `%{SOURCE0}` without `%{_sourcedir}`.
# The order in the .spec file could be possibly different.
addFilter(r'^ruby\.(spec|src):20: E: use-of-RPM_SOURCE_DIR$')

# The used version is not obvious.
addFilter(r'^ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-build_assert\)$')
addFilter(r'^ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-check_type\)$')
addFilter(r'^ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-container_of\)$')
addFilter(r'^ruby\.(spec|src):\d+: W: unversioned-explicit-provides bundled\(ccan-list\)$')

# The template files do not have to have executable bits.
addFilter(r'^rubygem-bundler\.noarch: E: non-executable-script /usr/share/gems/gems/bundler-[\d\.]+/lib/bundler/templates/[\w/\.]+ 644 /usr/bin/env ')

# The bundled gem files permissions are overridden as 644 by `make install`.
# https://bugs.ruby-lang.org/issues/17840
# power_assert
# https://github.com/ruby/power_assert/issues/35
addFilter(r'^rubygem-power_assert\.noarch: E: non-executable-script /usr/share/gems/gems/power_assert-[\d\.]+/bin/console 644 ')
addFilter(r'^rubygem-power_assert\.noarch: E: non-executable-script /usr/share/gems/gems/power_assert-[\d\.]+/bin/setup 644 ')
# rake
# https://github.com/ruby/rake/issues/385
addFilter(r'^rubygem-rake\.noarch: E: non-executable-script /usr/share/gems/gems/rake-[\d\.]+/bin/bundle 644 ')
addFilter(r'^rubygem-rake\.noarch: E: non-executable-script /usr/share/gems/gems/rake-[\d\.]+/bin/console 644 ')
addFilter(r'^rubygem-rake\.noarch: E: non-executable-script /usr/share/gems/gems/rake-[\d\.]+/bin/rake 644 ')
addFilter(r'^rubygem-rake\.noarch: E: non-executable-script /usr/share/gems/gems/rake-[\d\.]+/bin/rdoc 644 ')
addFilter(r'^rubygem-rake\.noarch: E: non-executable-script /usr/share/gems/gems/rake-[\d\.]+/bin/rubocop 644 ')
addFilter(r'^rubygem-rake\.noarch: E: non-executable-script /usr/share/gems/gems/rake-[\d\.]+/bin/setup 644 ')
# rbs
# https://github.com/ruby/rbs/issues/673
addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/annotate-with-rdoc 644 ')
addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/console 644 ')
addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/query-rdoc 644 ')
addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/rbs-prof 644 ')
addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/setup 644 ')
addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/sort 644 ')
addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/steep 644 ')
addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/test_runner.rb 644 ')
# test-unit
addFilter(r'^rubygem-test-unit\.noarch: E: non-executable-script /usr/share/gems/gems/test-unit-[\d\.]+/test/run-test.rb 644 ')

# The function `chroot` without using `chdir` is detected by rpmlint with the
# following message. However it looks a false positive as the `chroot` in the
# `dir.c` is just used as a Ruby binding `Dir.chroot` for the function.
#
# ruby-libs.x86_64: E: missing-call-to-chdir-with-chroot /usr/lib64/libruby.so.3.0.1
# This executable appears to call chroot without using chdir to change the
# current directory. This is likely an error and permits an attacker to break
# out of the chroot by using fchdir. While that's not always a security issue,
# this has to be checked.
addFilter(r'^ruby-libs\.\w+: E: missing-call-to-chdir-with-chroot /usr/lib(64)?/libruby.so.[\d/.]+$')

# Nothing referred and no dependency information should be no problem.
# https://bugs.ruby-lang.org/issues/16558#note-2
addFilter(r'^ruby-libs\.\w+: E: shared-lib-without-dependency-information /usr/lib(64)?/ruby/enc/gb2312.so$')
Add ruby.rpmlintrc. Ignore the false positive errors and warnings by the `rpmlint --file ruby.rpmlintrc`, that is executed by Zuul CI. You can run the command on your local like this. ``` $ rpmlint --file ruby.rpmlintrc ruby.spec /var/lib/mock/fedora-rawhide-x86_64/result/*.rpm ``` The `rpmlint` without `--file` option shows the original result. 2021-03-23 15:31:10 +00:00			`# Keep matching patterns enough not to hide unintended errors and warnings.`
Ignore the rpmlint "E: use-of-RPM_SOURCE_DIR". Ignore the following errors. ``` ruby.spec:20: E: use-of-RPM_SOURCE_DIR ruby.src:20: E: use-of-RPM_SOURCE_DIR ``` 2021-03-23 15:31:10 +00:00
			# There is no way to implement this with `%{SOURCE0}` without `%{_sourcedir}`.
			`# The order in the .spec file could be possibly different.`
			`addFilter(r'^ruby\.(spec\|src):20: E: use-of-RPM_SOURCE_DIR$')`
Ignore the rpmlint "W: unversioned-explicit-provides". Ignore the following warnings for bundled ccan-* libraries. ``` ruby.spec:231: W: unversioned-explicit-provides bundled(ccan-build_assert) ruby.spec:232: W: unversioned-explicit-provides bundled(ccan-check_type) ruby.spec:233: W: unversioned-explicit-provides bundled(ccan-container_of) ruby.spec:234: W: unversioned-explicit-provides bundled(ccan-list) ruby.src:231: W: unversioned-explicit-provides bundled(ccan-build_assert) ruby.src:232: W: unversioned-explicit-provides bundled(ccan-check_type) ruby.src:233: W: unversioned-explicit-provides bundled(ccan-container_of) ruby.src:234: W: unversioned-explicit-provides bundled(ccan-list) ``` 2021-03-23 15:31:10 +00:00
			`# The used version is not obvious.`
			`addFilter(r'^ruby\.(spec\|src):\d+: W: unversioned-explicit-provides bundled\(ccan-build_assert\)$')`
			`addFilter(r'^ruby\.(spec\|src):\d+: W: unversioned-explicit-provides bundled\(ccan-check_type\)$')`
			`addFilter(r'^ruby\.(spec\|src):\d+: W: unversioned-explicit-provides bundled\(ccan-container_of\)$')`
			`addFilter(r'^ruby\.(spec\|src):\d+: W: unversioned-explicit-provides bundled\(ccan-list\)$')`
ruby.rpmlintrc: Ignore non executable template files for Bundler. The template files do not have to have executable bits. Ignore the following errors. ``` rubygem-bundler.noarch: E: non-executable-script /usr/share/gems/gems/bundler-2.2.15/lib/bundler/templates/Executable 644 /usr/bin/env <%= Bundler.settings[:shebang] \|\| RbConfig::CONFIG["ruby_install_name"] %> rubygem-bundler.noarch: E: non-executable-script /usr/share/gems/gems/bundler-2.2.15/lib/bundler/templates/Executable.bundler 644 /usr/bin/env <%= Bundler.settings[:shebang] \|\| RbConfig::CONFIG["ruby_install_name"] %> rubygem-bundler.noarch: E: non-executable-script /usr/share/gems/gems/bundler-2.2.15/lib/bundler/templates/Executable.standalone 644 /usr/bin/env <%= Bundler.settings[:shebang] \|\| RbConfig::CONFIG["ruby_install_name"] %> rubygem-bundler.noarch: E: non-executable-script /usr/share/gems/gems/bundler-2.2.15/lib/bundler/templates/newgem/bin/console.tt 644 /usr/bin/env ruby rubygem-bundler.noarch: E: non-executable-script /usr/share/gems/gems/bundler-2.2.15/lib/bundler/templates/newgem/bin/setup.tt 644 /usr/bin/env bash rubygem-bundler.noarch: E: non-executable-script /usr/share/gems/gems/bundler-2.2.15/lib/bundler/templates/newgem/exe/newgem.tt 644 /usr/bin/env ruby ``` 2021-05-14 15:16:38 +00:00
			`# The template files do not have to have executable bits.`
			`addFilter(r'^rubygem-bundler\.noarch: E: non-executable-script /usr/share/gems/gems/bundler-[\d\.]+/lib/bundler/templates/[\w/\.]+ 644 /usr/bin/env ')`
ruby.rpmlintrc: Ignore the non-executable-script errors in bundled gems. The bundled gem files permissions are overridden as 644 by `make install`. Ignore following errors in bundled gems. ``` rubygem-power_assert.noarch: E: non-executable-script /usr/share/gems/gems/power_assert-1.2.0/bin/console 644 /usr/bin/env ruby rubygem-power_assert.noarch: E: non-executable-script /usr/share/gems/gems/power_assert-1.2.0/bin/setup 644 /usr/bin/env bash rubygem-rake.noarch: E: non-executable-script /usr/share/gems/gems/rake-13.0.3/bin/bundle 644 /usr/bin/env ruby rubygem-rake.noarch: E: non-executable-script /usr/share/gems/gems/rake-13.0.3/bin/console 644 /usr/bin/env ruby rubygem-rake.noarch: E: non-executable-script /usr/share/gems/gems/rake-13.0.3/bin/rake 644 /usr/bin/env ruby rubygem-rake.noarch: E: non-executable-script /usr/share/gems/gems/rake-13.0.3/bin/rdoc 644 /usr/bin/env ruby rubygem-rake.noarch: E: non-executable-script /usr/share/gems/gems/rake-13.0.3/bin/rubocop 644 /usr/bin/env ruby rubygem-rake.noarch: E: non-executable-script /usr/share/gems/gems/rake-13.0.3/bin/setup 644 /usr/bin/env bash rubygem-rbs.noarch: E: non-executable-script /usr/share/gems/gems/rbs-1.0.4/bin/annotate-with-rdoc 644 /usr/bin/env ruby rubygem-rbs.noarch: E: non-executable-script /usr/share/gems/gems/rbs-1.0.4/bin/console 644 /usr/bin/env ruby rubygem-rbs.noarch: E: non-executable-script /usr/share/gems/gems/rbs-1.0.4/bin/query-rdoc 644 /usr/bin/env ruby rubygem-rbs.noarch: E: non-executable-script /usr/share/gems/gems/rbs-1.0.4/bin/rbs-prof 644 /usr/bin/env ruby rubygem-rbs.noarch: E: non-executable-script /usr/share/gems/gems/rbs-1.0.4/bin/setup 644 /usr/bin/env bash rubygem-rbs.noarch: E: non-executable-script /usr/share/gems/gems/rbs-1.0.4/bin/sort 644 /usr/bin/env ruby rubygem-rbs.noarch: E: non-executable-script /usr/share/gems/gems/rbs-1.0.4/bin/steep 644 /bin/sh rubygem-rbs.noarch: E: non-executable-script /usr/share/gems/gems/rbs-1.0.4/bin/test_runner.rb 644 /usr/bin/env ruby rubygem-test-unit.noarch: E: non-executable-script /usr/share/gems/gems/test-unit-3.3.7/test/run-test.rb 644 /usr/bin/env ruby ``` 2021-04-28 18:53:04 +00:00
			# The bundled gem files permissions are overridden as 644 by `make install`.
			`# https://bugs.ruby-lang.org/issues/17840`
			`# power_assert`
			`# https://github.com/ruby/power_assert/issues/35`
			`addFilter(r'^rubygem-power_assert\.noarch: E: non-executable-script /usr/share/gems/gems/power_assert-[\d\.]+/bin/console 644 ')`
			`addFilter(r'^rubygem-power_assert\.noarch: E: non-executable-script /usr/share/gems/gems/power_assert-[\d\.]+/bin/setup 644 ')`
			`# rake`
			`# https://github.com/ruby/rake/issues/385`
			`addFilter(r'^rubygem-rake\.noarch: E: non-executable-script /usr/share/gems/gems/rake-[\d\.]+/bin/bundle 644 ')`
			`addFilter(r'^rubygem-rake\.noarch: E: non-executable-script /usr/share/gems/gems/rake-[\d\.]+/bin/console 644 ')`
			`addFilter(r'^rubygem-rake\.noarch: E: non-executable-script /usr/share/gems/gems/rake-[\d\.]+/bin/rake 644 ')`
			`addFilter(r'^rubygem-rake\.noarch: E: non-executable-script /usr/share/gems/gems/rake-[\d\.]+/bin/rdoc 644 ')`
			`addFilter(r'^rubygem-rake\.noarch: E: non-executable-script /usr/share/gems/gems/rake-[\d\.]+/bin/rubocop 644 ')`
			`addFilter(r'^rubygem-rake\.noarch: E: non-executable-script /usr/share/gems/gems/rake-[\d\.]+/bin/setup 644 ')`
			`# rbs`
			`# https://github.com/ruby/rbs/issues/673`
			`addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/annotate-with-rdoc 644 ')`
			`addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/console 644 ')`
			`addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/query-rdoc 644 ')`
			`addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/rbs-prof 644 ')`
			`addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/setup 644 ')`
			`addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/sort 644 ')`
			`addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/steep 644 ')`
			`addFilter(r'^rubygem-rbs\.noarch: E: non-executable-script /usr/share/gems/gems/rbs-[\d\.]+/bin/test_runner.rb 644 ')`
			`# test-unit`
			`addFilter(r'^rubygem-test-unit\.noarch: E: non-executable-script /usr/share/gems/gems/test-unit-[\d\.]+/test/run-test.rb 644 ')`
ruby.rpmlintrc: Ignore a false positive missing-call-to-chdir-with-chroot error. The `chroot` in the `dir.c` is just used as a Ruby binding `Dir.chroot` for the function. Ignore the following error. ``` ruby-libs.x86_64: E: missing-call-to-chdir-with-chroot /usr/lib64/libruby.so.3.0.1 ``` 2021-04-28 18:53:04 +00:00
			# The function `chroot` without using `chdir` is detected by rpmlint with the
			# following message. However it looks a false positive as the `chroot` in the
			# `dir.c` is just used as a Ruby binding `Dir.chroot` for the function.
			`#`
			`# ruby-libs.x86_64: E: missing-call-to-chdir-with-chroot /usr/lib64/libruby.so.3.0.1`
			`# This executable appears to call chroot without using chdir to change the`
			`# current directory. This is likely an error and permits an attacker to break`
			`# out of the chroot by using fchdir. While that's not always a security issue,`
			`# this has to be checked.`
			`addFilter(r'^ruby-libs\.\w+: E: missing-call-to-chdir-with-chroot /usr/lib(64)?/libruby.so.[\d/.]+$')`
ruby.rpmlintrc: Ignore a shared-lib-without-dependency-information error. Nothing referred and no dependency information should be no problem. Ignore the following error. ``` ruby-libs.x86_64: E: shared-lib-without-dependency-information /usr/lib64/ruby/enc/gb2312.so ``` 2021-05-14 16:00:25 +00:00
			`# Nothing referred and no dependency information should be no problem.`
			`# https://bugs.ruby-lang.org/issues/16558#note-2`
			`addFilter(r'^ruby-libs\.\w+: E: shared-lib-without-dependency-information /usr/lib(64)?/ruby/enc/gb2312.so$')`