# # rpminspect configuration file # # SPDX-License-Identifier: CC-BY-SA-4.0 # --- common: # Directory where individual rpminspect jobs will expand packages # and generate all of the test output. This needs to be a # location with plenty of storage space. workdir: /var/tmp/rpminspect # Location of runtime profile configuration files. These are files # that contain overrides for the settings in rpminspect.yaml (except # for the [common] section). Profiles are referred to by NAME and # the file would be NAME.yaml. Any profile used at runtime must # exist in the profile directory. profiledir: /usr/share/rpminspect/profiles/fedora koji: # The root URL of the XMLRPC API provided by the Koji hub hub: https://koji.fedoraproject.org/kojihub # The download URL for regular packages built in Koji download_ursine: https://kojipkgs.fedoraproject.org # The download URL for modular packages built in Koji download_mbs: https://kojipkgs.fedoraproject.org commands: # External helper commands used by rpminspect. Defaults are noted. # diff(1) command, must support -u, -w, and -I options as defined # in GNU diff. #diff: /usr/bin/diff # diffstat(1) command. # https://invisible-island.net/diffstat/ #diffstat: /usr/bin/diffstat # msgunfmt(1) as found in GNU gettext #msgunfmt: /usr/bin/msgunfmt # desktop-file-validate(1) from the desktop-file-utils project at # Freedesktop.org #desktop-file-validate: /usr/bin/desktop-file-validate # annocheck(1) from the annobin project: # https://sourceware.org/git/annobin.git #annocheck: /usr/bin/annocheck # abidiff(1) and kmidiff(1) from libabigail #abidiff: /usr/bin/abidiff #kmidiff: /usr/bin/kmidiff vendor: # Where the vendor data files can be found. The # rpminspect-data-generic package provides a template of where # these files should live. # # These settings name the specific subdirectories. The files # within them depend on the data file being read. Most will have # filenames matching the product release (which is usually the # %{disttag} value for the builds. # Main directory for the vendor-specific data. vendor_data_dir: /usr/share/rpminspect # Either the name of a license database file under the 'licenses/' # subdirectory in the vendor_data_dir or a full path to a license # database file to use. This file is used by the 'license' # inspection. licensedb: - /usr/share/fedora-license-data/licenses/fedora-licenses.json # Which product release string to favor. By default, rpminspect # favors the newest product release string. You can change this # here to: # # oldest Favor the oldest product release string. # newest Favor the newest product release string (default). # none Require matching release strings. # # If this is set to anything other than 'none', rpminspect will # use strverscmp() to compare the strings and return the one that # matches based on the rule here. Setting this any value other # than the ones listed here will be ignored and the default # behavior will remain in effect. # # The product release string tells rpminspect which vendor data # files to use from the vendor_data_dir. #favor_release: newest inspections: # By default all inspections are enabled. You can enable and # disable inspections using the command line -T and -E options, or # you can add them to this section in the config file. The format # is: # # inspection_name: [on|off] # # The default is enabled, so it is really only necessary to list # the inspections to disable. Here is a list of all inspections # with a disable setting that you can uncomment to turn off # certain ones. # #abidiff: off #addedfiles: off #annocheck: off #arch: off #badfuncs: off #capabilities: off #changedfiles: off #changelog: off #config: off #debuginfo: off #desktop: off #disttag: off #doc: off #dsodeps: off #elf: off #emptyrpm: off #files: off #filesize: off #javabytecode: off # Fedora does not guarantee a kernel ABI kmidiff: off #kmod: off #license: off #lostpayload: off #lto: off #manpage: off #metadata: off #modularity: off #movedfiles: off #ownership: off #patches: off #pathmigration: off #permissions: off #politics: off #removedfiles: off #runpath: off #shellsyntax: off #specname: off #subpackages: off #symlinks: off #types: off #unicode: off #upstream: off #virus: off #xml: off products: # Product release string matches. rpminspect uses product release # strings to determine what metadata files to use from the # rpminspect-data package. By default, rpminspect tries to figure # out the product by extracting the dist tag portion of the # Release tag in the RPM. If you are comparing two builds, the # product release string needs to match. If they do not match, # you have two options: # # 1) Specify the "-r" option and give rpminspect a product release # string. # 2) Rely on the product release string regexps in rpminspect.yaml # # Some products may have a variety of dist tags, so you can # construct a regular expression (man 7 regex) to match them. For # example, let's say your dist tags are ".fc31, .fc31server, # .fc31laptop". You want to use "fc31" for all of these, so you # can add a rule here that looks like: # # - fc31: ^.*\.fc31.*$ # # And rpminspect will match the longer ones to fc31. By default # there is no product release regexp mapping enabled. - fc28: ^.*\.fc28.*$ - fc29: ^.*\.fc29.*$ - fc30: ^.*\.fc30.*$ - fc31: ^.*\.fc31.*$ - fc32: ^.*\.fc32.*$ - fc33: ^.*\.fc33.*$ - fc34: ^.*\.fc34.*$ - fc35: ^.*\.fc35.*$ - fc36: ^.*\.fc36.*$ - fc37: ^.*\.fc37.*$ - fc38: ^.*\.fc38.*$ - fc39: ^.*\.fc39.*$ macrofiles: # Paths to all RPM macro definitions that rpminspect should use. # Note that you likely want to _exclude_ ~/.rpmmacros here whereas # rpmbuild will include that by default. The main reason is # rpminspect is expecting to report portability across system and # any locally defined macros in your home directory can impact # that. # # This is a list of file paths. glob(7) syntax is allowed as are # RPM macros. - /usr/lib/rpm/macros - /usr/lib/rpm/macros.d/macros.* - /usr/lib/rpm/platform/%{_target}/macros - /usr/lib/rpm/fileattrs/*.attr - /usr/lib/rpm/redhat/macros - /etc/rpm/macros.* - /etc/rpm/macros - /etc/rpm/%{_target}/macros ignore: # Sometimes you want certain files or directories ignored by # rpminspect. This section lets you list paths--glob(3) syntax # allowed--that you want rpminspect to ignore for all inspections. # # This is an array of glob(3) compatible strings to match paths # to ignore. - /usr/lib*/python?.?/site-packages/__pycache__ - /usr/lib*/python?.?/site-packages/*/*.pyc - /usr/lib*/python?.?/site-packages/*/*.pyo security_path_prefix: # Optional: Path prefixes for files with security concerns. This # is an array of directory names. This setting is used by multiple # inspections. - /etc/sudoers.d/ - /etc/polkit-1/ - /usr/share/polkit-1/actions/ badwords: # List of unprofessional or prohibited words. rpminspect will # check for these words via a case-insensitive regular expression # test in various string data, such as the license tag and package # description. Please only list individual words and not phrases # as the test is meant to capture substrings for instances where # some care needs to be taken for phrasing or name abbreviations. # # This is an array, so each prohibited word needs to be a separate # array entry in YAML syntax. # # The bad words list is used by multiple inspections. - shit - piss - fuck - cunt - tits - cocksucker - motherfucker metadata: # Required Vendor string. This is part of the RPM header and is # the value expected in packages checked by rpminspect. vendor: Fedora Project # Allowed build host subdomain. The RPM header contains information about # where the package was built. rpminspect verifies the hostnames are in # the expected subdomain listed below. # # This is an array of allowed subdomains. buildhost_subdomain: - .fedoraproject.org - .bos.redhat.com elf: # File paths to include in or exclude from specific tests. Each # value is a POSIX extended regular expression (man 7 # regex). Individual tests may apply additional filters (e.g., ELF # tests only run on ELF files) # # For ELF, skip the kernel, kernel modules, and two additional # paths for ppc/ppc64: crtsavres.o is linked against kernel # modules, and kernel-wrapper is a boot wrapper that should not be # inspected. # # These are regular expressions used by regex(3). See regex(7) # for more info. #include_path: exclude_path: (^(/boot/vmlinu|/lib/modules|/lib64/modules).*)|(.*/powerpc/lib/crtsavres.o$)|(^/usr/lib(64)?/kernel-wrapper$) # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* #emptyrpm: # Optional list of packages in a build that will contain an empty # payload. Useful for SRPMs that build metapackages that will # always have an empty payload. #expected_empty: # - metapackagename manpage: # Regular expression (man 7 regex) matching man page installation # directories. include_path: ^/usr/share/man/.* # Regular expression (man 7 regex) matching directories to ignore # during the man page inspection. #exclude_path: # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* xml: # Regular expression (man 7 regex) matching directories to include # in the xml expression. #include_path: # Regular expression (man 7 regex) matching directories to ignore # during the xml inspection. Skip JSP and RHTML files, which # contain a mix of XML and code. Also skip HTML files. exclude_path: .*(\.jsp|\.rhtml|\.xml\.in|\.html)$ # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* desktop: # Where desktop entry files live desktop_entry_files_dir: /usr/share/applications # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* changedfiles: # Optional: Filename extensions expected for C and C++ header files header_file_extensions: - .h - .hh - .hxx - .hpp - .H # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* addedfiles: # Optional: Forbidden path prefixes, space delimited list. forbidden_path_prefixes: - /tmp/ - /var/tmp - /etc/init.d - /etc/xinetd.d # Optional: Forbidden path suffixes. forbidden_path_suffixes: - '~' - .orig # Optional: Forbidden directories. forbidden_directories: - __MACOSX - CVS - .svn - .hg - .git # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* ownership: # Path prefixes where executable files live bin_paths: - /bin - /sbin - /usr/bin - /usr/sbin # Owner name for executable files bin_owner: root # Group name for executable files bin_group: root # Optional: List of forbidden file owners forbidden_owners: - mockbuild # Optional: List of forbidden file groups forbidden_groups: - mockbuild # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* shellsyntax: # List of shells used to perform syntax checking (must support -n) # This is used by the shellsyntax inspection. For every shell # script encountered in the build, the program will get the name # of the shell from the #! line and check to see if it's in this # list. If it is, it performs a -n check on the script and if # that returns non-zero, it gets reported out. NOTE: Each shell # listed must be listed by basename only and must support the '-n' # option for syntax checking. shells: - sh - ksh - zsh - csh - tcsh - rc - bash # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* filesize: # File size reporting threshold percentage. What percentage # change warrants reporting a VERIFY result? This change can be # file size increase or decrease. # # NOTE: you can set this to the keyword 'info' (without the single # quotes) to have rpminspect report all filesize changes but at # the INFO reporting level. # # The default is 'info' to only report changes as INFO. To enable # size threshold checks based on a percentage, enter the # percentage without the '%'. For example, to set the threshold # to 20%, put '20' (but without the single quotes). size_threshold: info # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* lto: # Link Time Optimization symbol name prefixes. Symbols are checked # on ELF .o and .a files and if found, a result is generated # indicating .o and .a files should not carry LTO symbols since # the information is not portable between different versions of # gcc. lto_symbol_name_prefixes: - .gnu.lto_ - .gnu.debuglto_ - __gnu_lto_v1 - __gnu_lto_slim # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* specname: # Spec filename test matching type. # The spec filename should match the %{name} defined in the spec # file. For example. If the spec file sets "Name: someprogram" # then the spec file should be named "someprogram.spec". There # are cases where the spec file may vary slightly from that, so # you can set the match type here. It can be 'prefix', 'full', or # 'suffix'. Here are some examples using the someprogram example # above: # # %{name} specname Match Type Passes? # someprogram someprogram.spec full yes # someprogram some_program.spec full no # my-someprogram someprogram.spec full no # my-someprogram someprogram.spec prefix no # my-someprogram someprogram.spec suffix yes # someprogram-opt someprogram.spec prefix yes # # By default this inspection uses 'full' matching. match: full #match: prefix #match: suffix # Where should rpminspect get the primary name value? The # filename without the .spec extension or the package's %{name} # value? By default this is the %{name}. primary: name #primary: filename annocheck: # Reporting severity for annocheck(1) failures. By default, # rpminspect will report annocheck(1) failures as a VERIFY result # but you can change this to any valid rpminspect result type. # The valid choices are: # OK # INFO # VERIFY # BAD # SKIP # The result codes are primarily for use by systems integrating # rpminspect and process the results output, but the result # reporting level also determines what causes rpminspect to exit # non-zero or not. By default, any result of VERIFY or higher # will cause a non-zero exit of rpminspect which indicates it # found an failure in one of the inspections. The OK and INFO # levels will still report the findings but not trigger a non-zero # exit. The SKIP result code will skip displaying the results in # the output. failure_severity: VERIFY # annocheck(1) tests to run. The left side of the colon is the # test name you want to use and the right side are the arguments # to the annocheck executable before giving it the full path to # the filename. # # This section is optional. If no annocheck tests are defined # here, rpminspect will skip the annocheck inspection. # # These job entries may be listed here or under a block named # 'jobs:' if you prefer. jobs: - hardened: --ignore-unknown --verbose # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* javabytecode: # Minimum major JVM version number for each product release. The # key should be the product release string that you will use # consistently throughout the run of rpminspect (e.g., a dist tag # for Fedora). The value is the JVM major version. For example: # fc30: 53 # You should also always specify a default, like this: # default: 43 # If the product release string is not found, the javabytecode # test will use the default entry. You can have as many entries # as you want in this section. - fc28: 52 - fc29: 52 - fc30: 52 - fc31: 52 - fc32: 52 - fc33: 55 - fc34: 55 - fc35: 55 - fc36: 55 - fc37: 55 - fc38: 55 - fc39: 55 - default: 43 # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* pathmigration: # Path migrations. Over time the established best practices or # packaging policies change. Directories we once used are now # replaced by a new directory. The 'pathmigration' inspection # looks for any old path names and if found reports what they # should be. Under this config section use the left side of the # colon to note the old path and the right side of the colon to # note the new path. For example: # # - /bin: /usr/bin # # Any package containing a file in /bin will have a failure # reporting that file should be in /usr/bin. migrated_paths: - /bin: /usr/bin - /sbin: /usr/sbin - /lib: /usr/lib - /lib64: /usr/lib64 # All rules have exceptions. List paths here to exclude from the # pathmigration rules. excluded_paths: - /lib/modules - /lib/firmware # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* files: # %files sections in spec files. Some checks are performed on # these sections. The settings here control those checks. # # Path references that are not permitted in a %files section. forbidden_paths: - /usr/lib # Optional list of path prefixes to ignore when checking for # forbidden paths in the %files section. For example, a package # may need to provide files in /usr/lib/dracut but anything else # in /usr/lib is forbidden. In that case, list /usr/lib/dracut/ # in the ignore list here. ignore: # location of dracut modules, not available via a macro - /usr/lib/dracut # location of udev helper binaries, not available via a macro - /usr/lib/udev abidiff: # The name of the optional ABI suppression file that SRPMs can # include. This file is used with abidiff(1) in the abidiff # inspection. It is passed using the --suppressions option on # that command. suppression_file: .abignore # Location where debuginfo files live in RPM packages. debuginfo_path: /usr/lib/debug/ # Location of header files in RPM packages. include_path: /usr/include/ # Extra arguments for the abidiff(1) program. These are put on # the command line before the two files being compared. #extra_args: # Security severity reporting level. ABI compatibility levels at # and below this number will cause abidiff(1) findings to report # with a security severity. For example, setting this to '2' will # cause packages and DSOs at ABI compatibility levels 1 and 2 to # report abidiff(1) findings with a security severity. security_level_threshold: 2 # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* kmidiff: # The name of the optional ABI suppression file that SRPMs can # include. This file is used with kmidiff(1) in the kmidiff # inspection. It is passed using the --suppressions option on # that command. suppression_file: .abignore # Location where debuginfo files live in RPM packages. debuginfo_path: /usr/lib/debug/ # Extra arguments for the kmidiff(1) program. These are put on # the command line before the two files being compared. #extra_args: # Possible kernel executable file names. Usually this is # 'vmlinux' or 'vmlinuz', but it could be anything depending on # the preferences of the vendor. kernel_filenames: - vmlinux - vmlinuz # The kernel ABI (KABI) is defined in a set of per-architecture # files. These are usually provided in a subpackage of a kernel # build, but they do not have to be. This setting defines the # subdirectory where KABI files can be found when performing the # kmidiff inspection. rpminspect will search all subpackages in # the builds it is comparing to find this directory. # # NOTE: This directory is relative to the installed location. It # can be a symlink. It should not contain any ../ path references # and it should not end with a slash. This value will combined # with the kabi_filename to contain a full file path. #kabi_dir: /lib/modules/kabi-current # The kernel ABI (KABI) filenames in the kabi_dir. It is common # to store these per architecture. You can use $ARCH or ${ARCH} # to note where the architecture appears in the filename and # rpminspect will substitute in the applicable architecture # string. # # NOTE: This filename is relative to kabi_dir. #kabi_filename: kabi_whitelist_${ARCH} # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* patches: # List of spec file macros that handle automatic patching. If one # of these is found, rpminspect will not report defined patches # missing corresponding %patch macros. NOTE: Do not list the # macros here with '%' prefixes or braces ('{' or '}'). Just list # their names. automacros: - autopatch - autosetup - forgeautosetup # List of patch files to ignore in the 'patches' inspection. # These should match the name as specified on a PatchN: line in # the spec file. #ignore_list: # - example.patch badfuncs: # Shared function names prohibited from executables and libraries. # The function names listed here are generally ones provided by # the system, but are deprecated in favor of more modern # alternatives. As a rule we do not want to make use of those but # only provide them to users for backwards compatibility. # This is an array of forbidden function names. - gethostbyname - gethostbyname2 - gethostbyaddr - inet_addr - inet_aton - inet_nsap_addr - inet_ntoa - inet_nsap_ntoa - inet_makeaddr - inet_netof - inet_network - inet_neta - inet_net_ntop - inet_net_pton - rcmd - rexec - rresvport # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* runpath: # Allowed DT_RUNPATH and DT_RPATH path elements when the element # is an explicit directory (i.e., does not begin with $ORIGIN). # The path is resolved if "../" is found and the resulting # resolved path is compared against this list. # # NOTE: Path elements are matched explicitly. Trailing slashes # are significant. If you list "/usr/src/kernels" here but the # value in the ELF object is "/usr/src/kernels/", the test will # fail. #allowed_paths: # - /usr/src/kernels/ # Allowed DT_RUNPATH and DT_RPATH path elements when the value # begins with $ORIGIN and "../" entries are resolved. This list # of path elements is allowed after trimming the leading "$ORIGIN" # value and the optional 'origin_prefix_trim' string if one is # found. # # NOTE: The same trailing slash consideration applies here that # applies to the 'allowed_paths' list. allowed_origin_paths: - / - /usr - /lib - /lib64 # Optional list of regular expressions (man 7 regex) to trim after # an $ORIGIN entry in DT_RPATH or DT_RUNPATH. If any of these # regular expressions match, the matching substring is trimmed # after "$ORIGIN" is trimmed and the remaining substring is # validated against the 'allowed_origin_paths' list. origin_prefix_trim: - ^(opt/rh/[^/]+/root/) # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* types: # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* unicode: # Regular expression to match file and directory names for # exclusion. Take care with making this too complicated as it may # become difficult to maintain over time. The regular expression # here is processed by regex(3) and can use POSIX Extended Regular # Expression syntax. exclude: ^(\.git|\.hg|\.desktop|\.ppd|\.txt|\.directory|ChangeLog|NEWS)$ # List of file MIME types of files this inspection should exclude. # MIME types are determined by libmagic, which is how the file(1) # command works. Sometimes matching by MIME type does not quit # produce the desired results, so keep that in mind when adding to # this list. excluded_mime_types: - text/x-po - text/x-tex - text/x-troff - text/html # List of forbidden Unicode codepoints in source code. Codepoints # are written in hexidecimal notation. The case of the letters # does not matter. Be sure to prefix the code point with '0x'. forbidden_codepoints: - '0x202A' - '0x202B' - '0x202C' - '0x202D' - '0x202E' - '0x2066' - '0x2067' - '0x2068' - '0x2069' # Optional list of glob(7) specifications to match files to ignore # for this inspection. The format of this list is the same as the # global 'ignore' list. The difference is the items specified # here will only be used during this inspection. #ignore: # - /usr/lib*/libexample.so* debuginfo: # Optional list of glob(7) specifications or path prefixes to # match files to ignore for this inspection. The format of this # list is the same as the global 'ignore' list. The difference is # the items specified here will only be used during this # inspection. ignore: - /lib/modules/* - /usr/lib/debug/.dwz/* - /usr/lib/grub/* # The ELF section name(s) required in debuginfo packages. The # default is shown here. This is a space-delimited string of ELF # section names. debuginfo_sections: .symtab .debug_info