Bugs to fix
===========

[B2] Lintian looks for the private header 'SONAME' to detect shared
libraries.  This is not reliable, since some libraries don't have
one.  It could parse the 'file' output to find out for sure.  But
it shouldn't treat libraries without SONAME identically to libraries
with; often they're special.

[B3] Lintian fails obscurely if LINTIAN_ROOT is a relative path.
It should detect this, and compensate by prefixing it with the current
directory.

Tags to look at
===============

[T9] changelog-file-missing-in-native-package
Some of these do have changelog.Debian files.  Perhaps a new tag
native-package-has-debian-changelog is in order.

[T12] bad-permissions-for-etc-emacs-script
Should take new emacsen policy into account.  Currently it does not look in
etc/xemacs.

[T16] init.d-script-not-included-in-package
Check these:
inewsinn: init.d-script-not-included-in-package /etc/init.d/inn
sysvinit: init.d-script-not-included-in-package /etc/init.d/"$@"

[T17] init.d-script-not-marked-as-conffile
This is strange; check how lintian figures out what filename to look for.
sysvinit: init.d-script-not-marked-as-conffile /etc/init.d/"$@"

[T22] manpage-has-wrong-extension
Check what man-db does with this:
E: emacs19: manpage-has-wrong-extension usr/man/man1/ctags.1emacs19.gz
and this:
E: tclmidi: manpage-has-wrong-extension usr/man/man3/midiconf.tclmidi3.gz

[T31] non-dev-pkg-with-shlib-symlink
Description could be clearer.

[T32] non-standard-dir-perm
Scan this list for overrides.

[T33] obsolete-ldconfig-call-in-postinst
Find out why it complains about libpgtcl.

[T43] script-not-executable
This tag contradicts executable-in-usr-doc, for scripts in /usr/doc.
Something should be done to resolve this, even if only a "script-in-usr-doc"
tag.

[T52] shlib-missing-in-control-file
Check if "ldconfig-symlink-missing-for-shlib" is confusing lintian with
plplot and plplot-tcl.

[T53] shlib-missing-in-control-file and friends
devless library packages could be detected by the lack of a number in
their name.

[T54] maintainer-script-does-not-check-for-existence-of-updatemenus
should be renamed, it wants -x, not -f or -e.


Desired features (large)
========================

[L1] A collection script that can (efficiently!) search all files for
a large number of strings or regexps, and collect the results.  It
should be able to look inside compressed files.

This will help with [S1] and [S2], as well as improve the
spelling-error check a great deal.  (Currently the spelling-error
check can only search specific files that were already collected, such
as the copyright file and the README.Debian file.)

[L2] A 'directories' check to go along with the 'files' check, which
checks that a package does not install files in directories not
permitted by the fhs/fsstnd.

This covers both the use of obsolete directory symlinks (such as
/usr/adm), and random directories outside the areas reserved for
package-specific directories.

The first was suggested in bug#20453, reported by Adrian Bridgett
<adrian.bridgett@poboxes.com>.  The second was suggested in bug#24474,
reported by Marcus Brinkmann <brinkmds@rz.ruhr-uni-bochum.de>.

It should also check things like: only xbase should use /usr/bin/X11.

[L5] Write an overlaps check that can use the lintian lab rather than the
Contents file.  This has several advantages:
  - The lintian lab is updated daily, not weekly.
  - Information about package relationships is always available, and always 
    in sync with the file lists.
  - There is more information in a lintian index than in a Contents file.
    In particular, symlinks are listed, and directories are listed for
    every package that provides them.  (No package should install files
    via a directory-symlink provided by another package).
  - The conffile lists are available.  Overlaps for conffiles are stricter,
    because they are not removed with the package.  (This was pointed
    out in bug#23712, by Yann Dirson <ydirson@mygale.org>).
Disadvantage:
  - A lab is available for only one architecture, and one distribution.
    Setting up multiple labs is very expensive.

[L6] Maintainer scripts should not touch conffiles of other packages
(or even their own, actually).  We may be able to just grep these
scripts for any conffile names.  The best approach would be to link
this to the info generated in [L5], which should get us a list of
conffiles.

(James Troup suggested that we could also grep for /etc/passwd or
/etc/group, which are still owned by a definite package.)

See also [M1].

[L7] Suggested by Ray Dassen <jdassen@wi.leidenuniv.nl>:
(I'm not sure if this is a good idea. -- Richard)

A warning for binaries that are linked against X libraries but
installed outside the designated X binaries directories.  E.g. bezerk
is a binary linked against GTK (thus, requiring X). In the package,
it's installed in /usr/bin.

It should be a warning, not an error, as the fact that a binary has
been linked against X libraries does not mean that it runs in X only.
For example, /usr/bin/vim is linked against Xaw, but runs perfectly
fine outside X.

[L9] Warn about manpages installed in man1 or man8 (or man6?) for which
no matching binary is installed.  This will probably require the manpages
check to be restructured.
Suggested by James Troup <james@nocrew.org>.

[L10] Look for binaries that are linked with a library that specifically
supplies user interaction, and warn if there is no menu entry for that
binary.  According to Yann Dirson:

Most of these apps can be identified, when they are linked agaist a
specific lib for user interaction, and that will even show what the
menu "needs" will be:

text:     ncurses   readline
console:  svgalib
x11:      Xt  qt  gtk?  gnomeui?    (maybe libX11 is sufficient?)

[L11] Check /bin/sh scripts for bashisms somehow.

[L12] Improve the infrastructure for source packages.  There should at
least be an index of files in the source package, and the debian/
directory should be available at unpack level 1.  Then some checks
can be written.

[L13] Have the html-report scripts read an "archive" tagfile, and
merge in those tags with the per-package reports.  This allows the
results of the dependency checks (and other cross-archive checks) to
be combined with the reports for the individual packages.

[L15] Joeyh Hess observed that the tags emitted by the check scripts
have "W:" or "E:", and this has to match the "Type:" field in the
.desc file.  That is annoying.  Maybe the frontend can use the Type
field to add the W: or E:, and then the check scripts can just output
the tag and arguments.  (Going one step further... they don't even
need to output the package name).

An alternative is to remove the "Type" header from the desc field, 
and rely solely on the identifying letter.  I don't know if the Type
field is even used anywhere.

[L16] Lintian was supposed to collect override information from a
variety of sources, but it still looks only in its global override file.

It would be nice if maintainers could specify the overrides for their
package without having to go through me, particularly as the number of
packages keeps growing.

On the other hand, I'd like to keep an eye on the overrides, because
they may point at bugs in lintian, and because I have received a
number of override requests that were mistaken.

Maybe I could fix both problems by having the regular lintian archive
check log all such overrides that aren't in its own file, and mail
them to me.

Now I need to figure out a good place for maintainers to put this
information.

[L19] Parse menu-methods files, so that lintian does not warn about
unknown needs= values for which the package itself installs a method.

[L20] Check the icon tag, and check that the package installs that
icon file, and check that it's of the right size and colourset.

[L21] Convert known-scripts tables in the scripts check to the same kind
of mechanism used by the perl check.  (A list of filenames of interpreters,
together with the necessary dependencies)

[L22] Lintian's self-test is too fragile.  It needs revamping.

Desired features (small)
========================

[S1] Scan for the string "/usr/tmp" in all files; it is not useful
anywhere.

[S2] Scan for the string "Debian/GNU Linux" (and variations?) in all
files; it should be "Debian GNU/Linux".

[S3] In connection with [L5], write a little doc explaining the various
ways to deal with package overlaps.

[S4] Find a way to deal with strange filenames that have characters
with the high bit set.  Currently they get munged by tar's output, and
demunging them would be too expensive since there's only one of them
in the whole distribution.  tar might also munge characters like
backslash and newline, I haven't checked.  (It's probably forced to
munge newline, to keep its format sane.)

[S5] Check that listed conffiles are actually installed by the package.

[S8] In source packages, check that the debian/copyright file mentions
"LGPL" if the COPYING file is the LGPL.  (We may be able to cheat and
do a size check; the LGPL is longer than the GPL.)

[S9] Lintian should supply a policy upgrade checklist that concentrates
on the aspects not checked by lintian itself, and refer to it in its
info for the ancient-standards-field tag.

[S10] Packaging manual 3.2.5 says that the debian/files file should
not exist in a shipped source file.  If packages get this wrong, they
are hard to autocompile on other architectures.

This is easy to check, once there is better support for source
packages (see [L12]).

[S12] Drop the "Order" field for collection scripts, have them use
"Needs-Info" like the check scripts.

[S14] Some of the overrides (for example those for libc6) contain
version numbers in filenames.  That means they get outdated pretty
easily, and there's no mechanism to even notice this.  This needs
to be fixed.  A small fix might be to display the "unused overrides"
per package and not just globally.  A better one would be to allow
some sort of wildcard for the version number.

[S15] Give a warning for packages that have a single Architecture in
their source control file, and it's not "any" or "all".  (It's a common
mistake for maintainers to list their own architecture, when it should
be "any").

Suppress this warning if there are .S files in the package, or when 
the package is non-free and it contains ELF binaries.

[S16] Warn about packages in debian-native format that have a dash in the
version number.

[S17] The 'scripts' check should take some shortcuts if the 'scripts' file
has length 0.  Currently it reads the whole index file, etc.

[S18] The perlmod collector script looks at files with perl-like
extensions, and at files that start with a #! line that mentions perl.
It could also look at files that have "-*- perl -*-" on the first line
(which is an emacs convention for using perl-mode on that file).

[S23] Add info-level tag to report manpages linked to "undocumented".

[S24] Warn about binaries in usr/share

[S25] Modify scripts collector to collect entire first line, and do something
smart with /usr/bin/env.

[S27] If a README.Debian starts with "foo for DEBIAN", check if foo is
really the package name (or the source package name)

[S28] Check the command= tag in menu files, to see if the command it
invokes really exists.

[S29] Check for two more bashisms:
  bash supports "source" which should be "." in sh scripts.
  bash supports ">&" which should be "2>/dev/null 1>&2".
  Both were suggested by Gregory S. Stark <gsstark@mit.edu>

[S30] If a package uses suidregister, check that it is called in both
  the postinst and the postrm.  See bug#29444, reported by Matthias Klose.

[S31] Warn about programs that use dangerous funcions, such as gets and getwd.

[S32] copyright-file-is-lgpl tag

[S33] Check for scripts in /bin or /sbin that have interpreters in /usr.
It's not useful to have such scripts on the root filesystem.

Desired features (tiny)
=======================

[t3] Make a link to the lintian-stats graphs created by Joey Hess,
for the oh-nifty value.  Perhaps log some more interesting stats,
such as lintian version and which distribution is checked.

[t4] Lintian should mention where the web page output of the regular
lintian scans can be found.

[t6] Run checks in a more fixed order, so that output from different
lintian versions is easier to compare.

[t8] Check for use of "chmod -R g-ws" in debian/rules (should be
"chmod -R go=rX").

[t9] Give filename as tag argument for old-style-copyright-file

Major projects
==============

[M1] Write a shell script tokenizer, so that lintian can tell the
difference between a command and an argument (and the exact span of
quoted arguments), and is not confused by things like commands split
over multiple lines.

This would allow lintian's checks on shell scripts to be much more
accurate, perhaps with limited support for shell variables, and
some awareness of flow of control.  (The latter is important for
checking that some things are not done in the "abort-" cases, etc).
A bashisms check would also be feasible.

[M2] Lintian is slow.  One reason for this is its multiple-scripts
design.  If the check and collection scripts could be changed to
perl modules that can be used directly by the frontend, this would
have several speed advantages:
  - The modules would be compiled only once, even if more than one
    package is checked.
  - Only one perl interpreter has to be started, rather than one
    for each script.  (Starting a perl interpreter takes about 0.05 seconds
    on my computer.  With 25 scripts and 1500 packages, that's half an hour!)
  - The modules can share commonly used data, such as the contents of
    the index file.  Currently that gets re-parsed by every script
    that needs it.
  - The modules can use a library for common functions, rather than
    including them in every script.  This makes maintenance easier,
    and cuts down on compilation time.
Despite all the above, I do not want to make modules mandatory.
Lintian should retain its capability to work with scripts written in
any language.  The easiest way to do this is to define a "Module: yes"
flag for the top of the .desc file, so that lintian knows whether to
execute a script or to use it as a module.  This also provides an
easy path for gradual conversion of the existing scripts.

[M3] Multi-architecture support.  Currently Lintian cannot properly
check binary packages for architectures other than the host system,
because it relies on objdump which is generally compiled with support
for only one system.

Also, I do not even know if lintian can correctly handle .changes files
with binary packages compiled for more than one architecture.  There
is no room in the laboratory layout for multiple binary packages of
the same name.

These problems stand in the way of running lintian automatically on
all new uploads.

[M4] It would be nice if lintian could be run on a fully built
source package, right before the dpkg --build (or possibly right
after it), to avoid the overhead of packing and unpacking the
files.  (Suggestion by Adam Heath.)

This involves adapting the unpack scripts and collector scripts to
work from such an unpacked package.  (If the unpack scripts are done
right, changing the collector scripts might not be necessary.  The
DEBIAN/ dir is a potential problem, though.)

The disadvantage is that lintian can't do certain checks this way
(namely, checking the unpackability of binary and source); the
advantage is that if it's faster, more people may use it.

Policy changes to suggest
=========================

[P1] Policy on compressed files:
  - If files are compressed at all, they must be compressed with max
    compression.   (This would eliminate some redundant checks from lintian)
  - "small" should to be defined, when deciding what should be compressed.
  - Section 5.3 should say that documentation need not be compressed
    if it won't work when compressed, and give a list of common file
    formats that won't work when compressed.

[P2] Changelog policy is due for an overhaul.

[P3] Policy on package names should refer to the packaging manual.

[P4] "Standards-Version" field is useless and should be dropped.

