Florian La Roche wrote:
Hello Dag,
I've copied a newer version to http://people.redhat.com/laroche/pyrpm/
It can now also read the cpio data part of rpm packages and has several
items cleaned up. I'd be interested to hear more feedback from python
experts about possibly improvements. ;-)
If python rpm experts is your goal, try the rpm-python list please.
The "--strict" option should only be used for Fedora Core development branch.
I've ran it on about 28000 packages, mostly unknown tag values:
unknown distribution: Dag Apt Repository for Red Hat 7.3
unknown packager: Dries Verachtert <dries@xxxxxxxxxxx>
unknown vendor: Dag Apt Repository, http://dag.wieers.com/apt/
Yepp, content check for "--strict" not useful for non-FC-devel.
However it also triggered a problem:
ValueError: amavisd-new-milter-2.2.0-2.0.rh8.test.i386.rpm: wrong data in rpm lead Traceback (most recent call last): File "./pyrpm.py", line 676, in ? verifyAllRpms() File "./pyrpm.py", line 657, in verifyAllRpms rpm = verifyRpm(a, legacy) File "./pyrpm.py", line 583, in verifyRpm if rpm.readHeader(): File "./pyrpm.py", line 308, in readHeader self.parseLead(leaddata) File "./pyrpm.py", line 110, in parseLead self.raiseErr("wrong data in rpm lead") File "./pyrpm.py", line 59, in raiseErr raise ValueError, "%s: %s" % (self.filename, err)
on files like:
perl-Tk-804.026-1.rhfc1.test.i386.rpm amavisd-new-2.2.0-2.0.rh8.test.i386.rpm xpde-0.4.0-1.1.fc2.test.i386.rpm
Fortunately all of these have been renamed files where the repotag has been changed to 'test'. Something I frequently do after a package didn't go through QA but was still worth distributing.
Should also not be happen without the "--strict" option.
After a while, when it started with kernel-module packages, I got this:
ValueError: kernel-module-ov511-2.25-0_2.4.20_20.9.dag.rh90.i686.rpm: unknown prog: ['/sbin/depmod', '-ae'] Traceback (most recent call last): File "./pyrpm.py", line 676, in ? verifyAllRpms() File "./pyrpm.py", line 663, in verifyAllRpms rrpm = RRpm(rpm) File "./pyrpm.py", line 509, in __init__ (self.post, self.postprog) = rpm.getScript("postin", "postinprog") File "./pyrpm.py", line 415, in getScript self.raiseErr("unknown prog: %s" % prog) File "./pyrpm.py", line 59, in raiseErr raise ValueError, "%s: %s" % (self.filename, err)
These messages are printed for each package. The command I ran was:
find /dar/packages/ -type f -name "*.rpm" | xargs -i ./pyrpm.py --strict '{}' \; | grep -vE 'unknown (packager|vendor|distribution)' | sort | uniq -c
I ended it after a lot of these 'errors'. Is the traceback intentional ?
I should change the tracebacks into errors only, so that you can still enable this option and look at the items we would not like to have in FC-devel.
Thanks for running this test. Looks like the rpm parser is stable enough
for existing packages and we mostly deal with the "noise" the parser is
also checking right now.
OK, so you can read *.rpm format in native python. Good, even though you are not
verifying signatures or digests of what you are reading.
At the content level, you are attempting explicit enums with limited value sets. You
can do that, but if an explicit enum for certain tags is the goal, well, that is more easily
arranged in rpmbuild rather than vetting every *.rpm package built in the wild.
At the semantic level, pyrpm is not even close to extracting and verifying immutable header regions, nor the sort properties of tag value sets.
And existing packages are really easy to vet. Try pkgs produced by rpm-3.0.4 and earlier
for some real fun. %description and %verifyscript, exercise left for pyrpm.py.
Have fun!
73 de Jeff
