forked from rpminspect/rpminspect-data-fedora
-
Notifications
You must be signed in to change notification settings - Fork 0
/
fedora.yaml
868 lines (772 loc) · 30.8 KB
/
fedora.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
#
# rpminspect configuration file
#
# SPDX-License-Identifier: CC-BY-SA-4.0
#
---
common:
# Directory where individual rpminspect jobs will expand packages
# and generate all of the test output. This needs to be a
# location with plenty of storage space.
workdir: /var/tmp/rpminspect
# Location of runtime profile configuration files. These are files
# that contain overrides for the settings in rpminspect.yaml (except
# for the [common] section). Profiles are referred to by NAME and
# the file would be NAME.yaml. Any profile used at runtime must
# exist in the profile directory.
profiledir: /usr/share/rpminspect/profiles/fedora
koji:
# The root URL of the XMLRPC API provided by the Koji hub
hub: https://koji.fedoraproject.org/kojihub
# The download URL for regular packages built in Koji
download_ursine: https://kojipkgs.fedoraproject.org
# The download URL for modular packages built in Koji
download_mbs: https://kojipkgs.fedoraproject.org
commands:
# External helper commands used by rpminspect. Defaults are noted.
# diff(1) command, must support -u, -w, and -I options as defined
# in GNU diff.
#diff: /usr/bin/diff
# diffstat(1) command.
# https://invisible-island.net/diffstat/
#diffstat: /usr/bin/diffstat
# msgunfmt(1) as found in GNU gettext
#msgunfmt: /usr/bin/msgunfmt
# desktop-file-validate(1) from the desktop-file-utils project at
# Freedesktop.org
#desktop-file-validate: /usr/bin/desktop-file-validate
# annocheck(1) from the annobin project:
# https://sourceware.org/git/annobin.git
#annocheck: /usr/bin/annocheck
# abidiff(1) and kmidiff(1) from libabigail
#abidiff: /usr/bin/abidiff
#kmidiff: /usr/bin/kmidiff
vendor:
# Where the vendor data files can be found. The
# rpminspect-data-generic package provides a template of where
# these files should live.
#
# These settings name the specific subdirectories. The files
# within them depend on the data file being read. Most will have
# filenames matching the product release (which is usually the
# %{disttag} value for the builds.
# Main directory for the vendor-specific data.
vendor_data_dir: /usr/share/rpminspect
# Either the name of a license database file under the 'licenses/'
# subdirectory in the vendor_data_dir or a full path to a license
# database file to use. This file is used by the 'license'
# inspection.
licensedb:
- /usr/share/fedora-license-data/licenses/fedora-licenses.json
# Which product release string to favor. By default, rpminspect
# favors the newest product release string. You can change this
# here to:
#
# oldest Favor the oldest product release string.
# newest Favor the newest product release string (default).
# none Require matching release strings.
#
# If this is set to anything other than 'none', rpminspect will
# use strverscmp() to compare the strings and return the one that
# matches based on the rule here. Setting this any value other
# than the ones listed here will be ignored and the default
# behavior will remain in effect.
#
# The product release string tells rpminspect which vendor data
# files to use from the vendor_data_dir.
#favor_release: newest
inspections:
# By default all inspections are enabled. You can enable and
# disable inspections using the command line -T and -E options, or
# you can add them to this section in the config file. The format
# is:
#
# inspection_name: [on|off]
#
# The default is enabled, so it is really only necessary to list
# the inspections to disable. Here is a list of all inspections
# with a disable setting that you can uncomment to turn off
# certain ones.
#
#abidiff: off
#addedfiles: off
#annocheck: off
#arch: off
#badfuncs: off
#capabilities: off
#changedfiles: off
#changelog: off
#config: off
#debuginfo: off
#desktop: off
#disttag: off
#doc: off
#dsodeps: off
#elf: off
#emptyrpm: off
#files: off
#filesize: off
#javabytecode: off
# Fedora does not guarantee a kernel ABI
kmidiff: off
#kmod: off
#license: off
#lostpayload: off
#lto: off
#manpage: off
#metadata: off
#modularity: off
#movedfiles: off
#ownership: off
#patches: off
#pathmigration: off
#permissions: off
#politics: off
#removedfiles: off
#runpath: off
#shellsyntax: off
#specname: off
#subpackages: off
#symlinks: off
#types: off
#unicode: off
#upstream: off
#virus: off
#xml: off
products:
# Product release string matches. rpminspect uses product release
# strings to determine what metadata files to use from the
# rpminspect-data package. By default, rpminspect tries to figure
# out the product by extracting the dist tag portion of the
# Release tag in the RPM. If you are comparing two builds, the
# product release string needs to match. If they do not match,
# you have two options:
#
# 1) Specify the "-r" option and give rpminspect a product release
# string.
# 2) Rely on the product release string regexps in rpminspect.yaml
#
# Some products may have a variety of dist tags, so you can
# construct a regular expression (man 7 regex) to match them. For
# example, let's say your dist tags are ".fc31, .fc31server,
# .fc31laptop". You want to use "fc31" for all of these, so you
# can add a rule here that looks like:
#
# - fc31: ^.*\.fc31.*$
#
# And rpminspect will match the longer ones to fc31. By default
# there is no product release regexp mapping enabled.
- fc28: ^.*\.fc28.*$
- fc29: ^.*\.fc29.*$
- fc30: ^.*\.fc30.*$
- fc31: ^.*\.fc31.*$
- fc32: ^.*\.fc32.*$
- fc33: ^.*\.fc33.*$
- fc34: ^.*\.fc34.*$
- fc35: ^.*\.fc35.*$
- fc36: ^.*\.fc36.*$
- fc37: ^.*\.fc37.*$
- fc38: ^.*\.fc38.*$
- fc39: ^.*\.fc39.*$
- fc40: ^.*\.fc40.*$
- el7: ^.*\.el7.*$
- el8: ^.*\.el8.*$
- el9: ^.*\.el9.*$
macrofiles:
# Paths to all RPM macro definitions that rpminspect should use.
# Note that you likely want to _exclude_ ~/.rpmmacros here whereas
# rpmbuild will include that by default. The main reason is
# rpminspect is expecting to report portability across system and
# any locally defined macros in your home directory can impact
# that.
#
# This is a list of file paths. glob(7) syntax is allowed as are
# RPM macros.
- /usr/lib/rpm/macros
- /usr/lib/rpm/macros.d/macros.*
- /usr/lib/rpm/platform/%{_target}/macros
- /usr/lib/rpm/fileattrs/*.attr
- /usr/lib/rpm/redhat/macros
- /etc/rpm/macros.*
- /etc/rpm/macros
- /etc/rpm/%{_target}/macros
ignore:
# Sometimes you want certain files or directories ignored by
# rpminspect. This section lets you list paths--glob(3) syntax
# allowed--that you want rpminspect to ignore for all inspections.
#
# This is an array of glob(3) compatible strings to match paths
# to ignore.
#- /path/to/ignore
security_path_prefix:
# Optional: Path prefixes for files with security concerns. This
# is an array of directory names. This setting is used by multiple
# inspections.
- /etc/sudoers.d/
- /etc/polkit-1/
- /usr/share/polkit-1/actions/
badwords:
# List of unprofessional or prohibited words. rpminspect will
# check for these words via a case-insensitive regular expression
# test in various string data, such as the license tag and package
# description. Please only list individual words and not phrases
# as the test is meant to capture substrings for instances where
# some care needs to be taken for phrasing or name abbreviations.
#
# This is an array, so each prohibited word needs to be a separate
# array entry in YAML syntax.
#
# The bad words list is used by multiple inspections.
- shit
- piss
- fuck
- cunt
- tits
- cocksucker
- motherfucker
metadata:
# Required Vendor string. This is part of the RPM header and is
# the value expected in packages checked by rpminspect.
vendor: Fedora Project
# Allowed build host subdomain. The RPM header contains information about
# where the package was built. rpminspect verifies the hostnames are in
# the expected subdomain listed below.
#
# This is an array of allowed subdomains.
buildhost_subdomain:
- .fedoraproject.org
- .bos.redhat.com
elf:
# File paths to include in or exclude from specific tests. Each
# value is a POSIX extended regular expression (man 7
# regex). Individual tests may apply additional filters (e.g., ELF
# tests only run on ELF files)
#
# For ELF, skip the kernel, kernel modules, and two additional
# paths for ppc/ppc64: crtsavres.o is linked against kernel
# modules, and kernel-wrapper is a boot wrapper that should not be
# inspected.
#
# These are regular expressions used by regex(3). See regex(7)
# for more info.
#include_path:
exclude_path: (^(/boot/vmlinu|/lib/modules|/lib64/modules).*)|(.*/powerpc/lib/crtsavres.o$)|(^/usr/lib(64)?/kernel-wrapper$)
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
#emptyrpm:
# Optional list of packages in a build that will contain an empty
# payload. Useful for SRPMs that build metapackages that will
# always have an empty payload.
#expected_empty:
# - metapackagename
manpage:
# Regular expression (man 7 regex) matching man page installation
# directories.
include_path: ^/usr/share/man/.*
# Regular expression (man 7 regex) matching directories to ignore
# during the man page inspection.
#exclude_path:
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
xml:
# Regular expression (man 7 regex) matching directories to include
# in the xml expression.
#include_path:
# Regular expression (man 7 regex) matching directories to ignore
# during the xml inspection. Skip JSP and RHTML files, which
# contain a mix of XML and code. Also skip HTML files.
exclude_path: .*(\.jsp|\.rhtml|\.xml\.in|\.html)$
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
desktop:
# Where desktop entry files live
desktop_entry_files_dir: /usr/share/applications
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
changedfiles:
# Optional: Filename extensions expected for C and C++ header files
header_file_extensions:
- .h
- .hh
- .hxx
- .hpp
- .H
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
addedfiles:
# Optional: Forbidden path prefixes, space delimited list.
forbidden_path_prefixes:
- /tmp/
- /var/tmp
- /etc/init.d
- /etc/xinetd.d
# Optional: Forbidden path suffixes.
forbidden_path_suffixes:
- '~'
- .orig
# Optional: Forbidden directories.
forbidden_directories:
- __MACOSX
- CVS
- .svn
- .hg
- .git
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
ownership:
# Path prefixes where executable files live
bin_paths:
- /bin
- /sbin
- /usr/bin
- /usr/sbin
# Owner name for executable files
bin_owner: root
# Group name for executable files
bin_group: root
# Optional: List of forbidden file owners
forbidden_owners:
- mockbuild
# Optional: List of forbidden file groups
forbidden_groups:
- mockbuild
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
shellsyntax:
# List of shells used to perform syntax checking (must support -n)
# This is used by the shellsyntax inspection. For every shell
# script encountered in the build, the program will get the name
# of the shell from the #! line and check to see if it's in this
# list. If it is, it performs a -n check on the script and if
# that returns non-zero, it gets reported out. NOTE: Each shell
# listed must be listed by basename only and must support the '-n'
# option for syntax checking.
shells:
- sh
- ksh
- zsh
- csh
- tcsh
- rc
- bash
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
filesize:
# File size reporting threshold percentage. What percentage
# change warrants reporting a VERIFY result? This change can be
# file size increase or decrease.
#
# NOTE: you can set this to the keyword 'info' (without the single
# quotes) to have rpminspect report all filesize changes but at
# the INFO reporting level.
#
# The default is 'info' to only report changes as INFO. To enable
# size threshold checks based on a percentage, enter the
# percentage without the '%'. For example, to set the threshold
# to 20%, put '20' (but without the single quotes).
size_threshold: info
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
lto:
# Link Time Optimization symbol name prefixes. Symbols are checked
# on ELF .o and .a files and if found, a result is generated
# indicating .o and .a files should not carry LTO symbols since
# the information is not portable between different versions of
# gcc.
lto_symbol_name_prefixes:
- .gnu.lto_
- .gnu.debuglto_
- __gnu_lto_v1
- __gnu_lto_slim
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
specname:
# Spec filename test matching type.
# The spec filename should match the %{name} defined in the spec
# file. For example. If the spec file sets "Name: someprogram"
# then the spec file should be named "someprogram.spec". There
# are cases where the spec file may vary slightly from that, so
# you can set the match type here. It can be 'prefix', 'full', or
# 'suffix'. Here are some examples using the someprogram example
# above:
#
# %{name} specname Match Type Passes?
# someprogram someprogram.spec full yes
# someprogram some_program.spec full no
# my-someprogram someprogram.spec full no
# my-someprogram someprogram.spec prefix no
# my-someprogram someprogram.spec suffix yes
# someprogram-opt someprogram.spec prefix yes
#
# By default this inspection uses 'full' matching.
match: full
#match: prefix
#match: suffix
# Where should rpminspect get the primary name value? The
# filename without the .spec extension or the package's %{name}
# value? By default this is the %{name}.
primary: name
#primary: filename
annocheck:
# Reporting severity for annocheck(1) failures. By default,
# rpminspect will report annocheck(1) failures as a VERIFY result
# but you can change this to any valid rpminspect result type.
# The valid choices are:
# OK
# INFO
# VERIFY
# BAD
# SKIP
# The result codes are primarily for use by systems integrating
# rpminspect and process the results output, but the result
# reporting level also determines what causes rpminspect to exit
# non-zero or not. By default, any result of VERIFY or higher
# will cause a non-zero exit of rpminspect which indicates it
# found an failure in one of the inspections. The OK and INFO
# levels will still report the findings but not trigger a non-zero
# exit. The SKIP result code will skip displaying the results in
# the output.
failure_severity: VERIFY
# annocheck(1) tests to run. The left side of the colon is the
# test name you want to use and the right side are the arguments
# to the annocheck executable before giving it the full path to
# the filename.
#
# This section is optional. If no annocheck tests are defined
# here, rpminspect will skip the annocheck inspection.
#
# These job entries may be listed here or under a block named
# 'jobs:' if you prefer.
jobs:
- hardened: --ignore-unknown --verbose
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
javabytecode:
# Minimum major JVM version number for each product release. The
# key should be the product release string that you will use
# consistently throughout the run of rpminspect (e.g., a dist tag
# for Fedora). The value is the JVM major version. For example:
# fc30: 53
# You should also always specify a default, like this:
# default: 43
# If the product release string is not found, the javabytecode
# test will use the default entry. You can have as many entries
# as you want in this section.
- fc28: 52
- fc29: 52
- fc30: 52
- fc31: 52
- fc32: 52
- fc33: 55
- fc34: 55
- fc35: 55
- fc36: 55
- fc37: 55
- fc38: 55
- fc39: 55
- fc40: 55
- default: 43
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
pathmigration:
# Path migrations. Over time the established best practices or
# packaging policies change. Directories we once used are now
# replaced by a new directory. The 'pathmigration' inspection
# looks for any old path names and if found reports what they
# should be. Under this config section use the left side of the
# colon to note the old path and the right side of the colon to
# note the new path. For example:
#
# - /bin: /usr/bin
#
# Any package containing a file in /bin will have a failure
# reporting that file should be in /usr/bin.
migrated_paths:
- /bin: /usr/bin
- /sbin: /usr/sbin
- /lib: /usr/lib
- /lib64: /usr/lib64
# All rules have exceptions. List paths here to exclude from the
# pathmigration rules.
excluded_paths:
- /lib/modules
- /lib/firmware
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
files:
# %files sections in spec files. Some checks are performed on
# these sections. The settings here control those checks.
#
# Path references that are not permitted in a %files section.
forbidden_paths:
- /usr/lib
# Optional list of path prefixes to ignore when checking for
# forbidden paths in the %files section. For example, a package
# may need to provide files in /usr/lib/dracut but anything else
# in /usr/lib is forbidden. In that case, list /usr/lib/dracut/
# in the ignore list here.
ignore:
# location of dracut modules, not available via a macro
- /usr/lib/dracut
# location of udev helper binaries, not available via a macro
- /usr/lib/udev
abidiff:
# The name of the optional ABI suppression file that SRPMs can
# include. This file is used with abidiff(1) in the abidiff
# inspection. It is passed using the --suppressions option on
# that command.
suppression_file: .abignore
# Location where debuginfo files live in RPM packages.
debuginfo_path: /usr/lib/debug/
# Location of header files in RPM packages.
include_path: /usr/include/
# Extra arguments for the abidiff(1) program. These are put on
# the command line before the two files being compared.
#extra_args:
# Security severity reporting level. ABI compatibility levels at
# and below this number will cause abidiff(1) findings to report
# with a security severity. For example, setting this to '2' will
# cause packages and DSOs at ABI compatibility levels 1 and 2 to
# report abidiff(1) findings with a security severity.
security_level_threshold: 2
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
kmidiff:
# The name of the optional ABI suppression file that SRPMs can
# include. This file is used with kmidiff(1) in the kmidiff
# inspection. It is passed using the --suppressions option on
# that command.
suppression_file: .abignore
# Location where debuginfo files live in RPM packages.
debuginfo_path: /usr/lib/debug/
# Extra arguments for the kmidiff(1) program. These are put on
# the command line before the two files being compared.
#extra_args:
# Possible kernel executable file names. Usually this is
# 'vmlinux' or 'vmlinuz', but it could be anything depending on
# the preferences of the vendor.
kernel_filenames:
- vmlinux
- vmlinuz
# The kernel ABI (KABI) is defined in a set of per-architecture
# files. These are usually provided in a subpackage of a kernel
# build, but they do not have to be. This setting defines the
# subdirectory where KABI files can be found when performing the
# kmidiff inspection. rpminspect will search all subpackages in
# the builds it is comparing to find this directory.
#
# NOTE: This directory is relative to the installed location. It
# can be a symlink. It should not contain any ../ path references
# and it should not end with a slash. This value will combined
# with the kabi_filename to contain a full file path.
#kabi_dir: /lib/modules/kabi-current
# The kernel ABI (KABI) filenames in the kabi_dir. It is common
# to store these per architecture. You can use $ARCH or ${ARCH}
# to note where the architecture appears in the filename and
# rpminspect will substitute in the applicable architecture
# string.
#
# NOTE: This filename is relative to kabi_dir.
#kabi_filename: kabi_whitelist_${ARCH}
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
patches:
# List of spec file macros that handle automatic patching. If one
# of these is found, rpminspect will not report defined patches
# missing corresponding %patch macros. NOTE: Do not list the
# macros here with '%' prefixes or braces ('{' or '}'). Just list
# their names.
automacros:
- autopatch
- autosetup
- forgeautosetup
# List of patch files to ignore in the 'patches' inspection.
# These should match the name as specified on a PatchN: line in
# the spec file.
#ignore_list:
# - example.patch
badfuncs:
# Shared function names prohibited from executables and libraries.
# The function names listed here are generally ones provided by
# the system, but are deprecated in favor of more modern
# alternatives. As a rule we do not want to make use of those but
# only provide them to users for backwards compatibility.
# This is an array of forbidden function names.
- gethostbyname
- gethostbyname2
- gethostbyaddr
- inet_addr
- inet_aton
- inet_nsap_addr
- inet_ntoa
- inet_nsap_ntoa
- inet_makeaddr
- inet_netof
- inet_network
- inet_neta
- inet_net_ntop
- inet_net_pton
- rcmd
- rexec
- rresvport
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
runpath:
# Allowed DT_RUNPATH and DT_RPATH path elements when the element
# is an explicit directory (i.e., does not begin with $ORIGIN).
# The path is resolved if "../" is found and the resulting
# resolved path is compared against this list.
#
# NOTE: Path elements are matched explicitly. Trailing slashes
# are significant. If you list "/usr/src/kernels" here but the
# value in the ELF object is "/usr/src/kernels/", the test will
# fail.
#allowed_paths:
# - /usr/src/kernels/
# Allowed DT_RUNPATH and DT_RPATH path elements when the value
# begins with $ORIGIN and "../" entries are resolved. This list
# of path elements is allowed after trimming the leading "$ORIGIN"
# value and the optional 'origin_prefix_trim' string if one is
# found.
#
# NOTE: The same trailing slash consideration applies here that
# applies to the 'allowed_paths' list.
allowed_origin_paths:
- /
- /usr
- /lib
- /lib64
# Optional list of regular expressions (man 7 regex) to trim after
# an $ORIGIN entry in DT_RPATH or DT_RUNPATH. If any of these
# regular expressions match, the matching substring is trimmed
# after "$ORIGIN" is trimmed and the remaining substring is
# validated against the 'allowed_origin_paths' list.
origin_prefix_trim:
- ^(opt/rh/[^/]+/root/)
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
types:
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
unicode:
# Regular expression to match file and directory names for
# exclusion. Take care with making this too complicated as it may
# become difficult to maintain over time. The regular expression
# here is processed by regex(3) and can use POSIX Extended Regular
# Expression syntax.
exclude: ^(\.git|\.hg|\.desktop|\.ppd|\.txt|\.directory|ChangeLog|NEWS)$
# List of file MIME types of files this inspection should exclude.
# MIME types are determined by libmagic, which is how the file(1)
# command works. Sometimes matching by MIME type does not quit
# produce the desired results, so keep that in mind when adding to
# this list.
excluded_mime_types:
- text/x-po
- text/x-tex
- text/x-troff
- text/html
# List of forbidden Unicode codepoints in source code. Codepoints
# are written in hexidecimal notation. The case of the letters
# does not matter. Be sure to prefix the code point with '0x'.
forbidden_codepoints:
- '0x202A'
- '0x202B'
- '0x202C'
- '0x202D'
- '0x202E'
- '0x2066'
- '0x2067'
- '0x2068'
- '0x2069'
# Optional list of glob(7) specifications to match files to ignore
# for this inspection. The format of this list is the same as the
# global 'ignore' list. The difference is the items specified
# here will only be used during this inspection.
#ignore:
# - /usr/lib*/libexample.so*
debuginfo:
# Optional list of glob(7) specifications or path prefixes to
# match files to ignore for this inspection. The format of this
# list is the same as the global 'ignore' list. The difference is
# the items specified here will only be used during this
# inspection.
ignore:
- /lib/modules/*
- /usr/lib/debug/.dwz/*
- /usr/lib/grub/*
# The ELF section name(s) required in debuginfo packages. The
# default is shown here. This is a space-delimited string of ELF
# section names.
debuginfo_sections: .symtab .debug_info