Upcoming Lintian changes

There are some changes to Lintian that may affect apt-daemon[1]. These changes are currently planned to be released with 2.5.12.

=The "good"=

--profile will now accept the keyword "{VENDOR}" in its argument. Lintian will replace that keyword with the "most specific vendor" that has a profile matching the result. Example:

  --profile '{VENDOR}/aptdaemon'

would try "ubuntu/aptdaemon" and then "debian/aptdaemon" on a Ubuntu system.

New command line option --ignore-lintian-env, which will cause Lintian to ignore any environment variable starting with LINTIAN_.

=The "bad"=

We are adding XDG support so you have to account for XDG_* variables messing up stuff as well. --ignore-lintian-env will not help you here. The request bug for XDG support is #701477. Basically unsetting HOME, XDG_{CONFIG,DATA}_HOME and XDG_{CONFIG,DATA}_DIRS should keep the status quo[2].

Lintian will start to load code from its "search directories"[3]. An incorrect fix to this could lead to privilege escalation assuming Lintian is running at higher permissions than the user requesting the action. You may want to use the new--no-user-dirs and then explicitly allow trusted directories via (the new) --include-dir option. The only downside here is that Lintian will not check these directories for lintianrc files.

~Niels

#701477: http://bugs.debian.org/701477

[1] See https://bugs.launchpad.net/aptdaemon/+bug/1006327

[2] Note that XDG_{CONFIG,DATA}_DIRS technically specifies the "system" directories, but if the environment is from the user, he/she could abuse those variables.

[3] At the moment, these are (by default): ~/.lintian:/etc/lintian:/usr/share/lintian

However, they will probably be changed to include/replaced by XDG_DATA_{HOME,DIRS}.