#
# This file contains descriptions for rpmgrill message codes.
# (FIXME: clarify)
#
# This file is automatically generated. DO NOT EDIT.
#
# Generated Tue May 14 10:19:51 2013 by make-tooltips v0.0
#------------------------------------------------------------------------------
# The file below contains a series of stanzas of the form:
#
#    |<Plugin>
#    |  <description of this plugin>
#    |  <vertical bar, two spaces, then text>
#
#    <Code>
#      <description of this test code>
#      <exactly two leading spaces should be stripped>
###############################################################################
# BEGIN RPM::Grill::Plugin::VirusCheck

|VirusCheck
|  This module runs clamav against files in an rpm. Silly as that may seem,
|  there may be customers who run clamav and may be concerned to see it trigger.
|  This module may help us avoid an embarrassment in the field.

ClamAV
  <p>The <a href="http://www.clamav.net/">ClamAV</a> antivirus tool has found
  something suspicious in your package. This is so unlikely, so
  rare, so exceptional, that it's gotta be worth looking into.</p>
  
  <p>A warning from this test needs investigating. First, because there are
  customers who run automated virus scans on incoming software and might
  not appreciate having to investigate a trigger coming from Red Hat
  software. Second, and much less likely (but not impossible) because
  it might be a real problem.</p>

ClamAVinternalerror
  <p>FIXME- this cannot happen.</p>

BitDefender
  <p>The <a href="http://www.bitdefender.com/">BitDefender antivirus tool</a> has
  claimed to have found a problem. As of 2012-10-23 this is EXPERIMENTAL.</p>
  
  <p>A warning from this test needs investigating. First, because there are
  customers who run automated virus scans on incoming software and might
  not appreciate having to investigate a trigger coming from Red Hat
  software. Second, and much less likely (but not impossible) because
  it might be a real problem.</p>

BdScanFailed
  <p>The <a href="http://www.bitdefender.com/">BitDefender antivirus tool</a>
  failed to run. As of December 2012 this is because we don't have
  a license. Ignore this.</p>

BdScanMissingResults
  <p>The <a href="http://www.bitdefender.com/">BitDefender antivirus tool</a>
  claims to have run successfully, but produced no output. This
  is unexpected. It should not happen.</p>

AvScan
  <p>FIXME: the AvScan test is not in production.</p>

AvScanFailed
  <p>FIXME: the AvScan test is not in production.</p>

AvScanMissingResults
  <p>FIXME: the AvScan test is not in production.</p>

# END   RPM::Grill::Plugin::VirusCheck
###############################################################################
# BEGIN RPM::Grill::Plugin::SpecFileSanity

|SpecFileSanity
|  * looks for commented-out macros (which don't do what you think)

MacroSurprise
  <p>Did you know that RPM expands macros even inside comments?</p>
  
  <p>Sometimes this is OK: %{name}, %{version}. But when %{foo} is
  a multi-line macro, or %if, or %patch, this can cause unpleasant
  surprises. As of May 2012 this test will only trigger on a
  certain well-defined list of hazardous macros: patch, if, else,
  endif, define. (It used to trigger on %anything, but that gave
  way too much noise). This list may need to be refined over time.</p>
  
  <p><b>Recommendation</b>: Double-percent all macros in comments: %%{name}</p>

ChangelogMissing
  <p>There is no %changelog section in your specfile. Can this happen?</p>

ChangelogEmpty
  <p>The %changelog section in your specfile is empty. This error doesn't
  sound like it could happen, but it does.</p>

ChangelogOnlyNeedsVR
  <p>You included your package name in the %changelog entry. All you need
  is the Version-Release.
  See <a href="http://fedoraproject.org/wiki/Packaging:Guidelines#Changelogs">http://fedoraproject.org/wiki/Packaging:Guidelines#Changelogs</a></p>

ChangelogCruftInVersion
  <p>The version string in your first %changelog entry includes unnecessary
  cruft.</p>

ChangelogWrongEpoch
  <p>You included an epoch in your %changelog entry, but it's the wrong one.</p>

ChangelogUnexpectedEpoch
  <p>You included an epoch in your %changelog entry, but the specfile itself
  does not define an Epoch.</p>

ChangelogBadVersion
  <p>The version string in your first %changelog entry does not match the
  one defined in the package specfile.</p>

ChangelogBadRelease
  <p>The release string in your first %changelog entry does not match the
  one defined in the package specfile.</p>

ChangelogWeirdLine
  <p>I could not parse the first line of the %changelog section in your specfile.
  See <a href="http://fedoraproject.org/wiki/Packaging:Guidelines#Changelogs">http://fedoraproject.org/wiki/Packaging:Guidelines#Changelogs</a></p>

ChangelogLeadingWhitespace
  <p>You've indented a line in a changelog message, perhaps for clarity,
  but that indentation will not survive rpmbuild. Customers who run
  <code>rpm -q --changelog</code> will see that line without any leading whitespace.
  This is probably not a cataclysmic source of confusion, but please
  check anyway.</p>

ChangelogMacros
  <p>Percent signs in .spec files get expanded as macros. When you
  write "Replaced /bin with %{bindir}", <code>rpm -q --changelog</code> will
  show "Replaced /bin with /bin". Confusing. The excerpt in the
  gripe message shows you what you wrote and what customers will see.</p>
  
  <p>Solution: <b>double up percent signs: %%{foo}</b>.</p>

ChangelogWrongWeekday
  <p>A specfile %changelog entry has a mismatch between the weekday
  and the date. There is no automated way to know which is correct.
  This needs human intervention.</p>

# END   RPM::Grill::Plugin::SpecFileSanity
###############################################################################
# BEGIN RPM::Grill::Plugin::SpecFileEncoding

|SpecFileEncoding
|  This module warns about non-UTF8 characters in the specfile.

NonUtf8
  <p>Packaging guidelines require that the rpm specfile be encoded in UTF-8.
  This message code indicates that your specfile includes characters
  that are not valid in UTF-8.</p>
  
  <p>FIXME: link to packaging guidelines</p>

# END   RPM::Grill::Plugin::SpecFileEncoding
###############################################################################
# BEGIN RPM::Grill::Plugin::LibGather

|LibGather
|  This module does not report any tests. It is an internal data-collection
|  module used to gather information which can later be used by other tools.

# END   RPM::Grill::Plugin::LibGather
###############################################################################
# BEGIN RPM::Grill::Plugin::ElfChecks

|ElfChecks
|  This plugin examines ELF attributes of binary files.

BadRpath
  
PiePartialRelro
  <p>FIXME</p>

PieNotRelro
  <p>File compiled with PIE but not RELRO.</p>
  
  <p>FIXME: I don't remember why this is important.</p>

LibMissingRELRO
  <p>Library file not compiled with RELRO or PIE.</p>
  
  <p>FIXME: I don't remember why this is important.</p>

SetuidMissingRELRO
  <p>Setuid executable not compiled with RELRO.</p>

SetgidMissingRELRO
  <p>Setgid executable not compiled with RELRO.</p>

DaemonMissingRELRO
  <p>Daemon executable not compiled with RELRO.
  Note that we use heuristics to identify daemons, and these may result in
  false positives (we identify "foo" as a daemon but it really isn't) and
  false negatives (we fail to identify "bar" as a daemon, and don't check
  it for RELRO).</p>

SetuidPartialRELRO
  <p>Setuid executable compiled with only <i>partial</i> RELRO (RHEL6 requires <i>full</i>).</p>

SetgidPartialRELRO
  <p>Setgid executable compiled with only <i>partial</i> RELRO (RHEL6 requires <i>full</i>).</p>

DaemonPartialRELRO
  <p>Daemon executable compiled with only <i>partial</i> RELRO (RHEL6 requires <i>full</i>).
  Note that we use heuristics to identify daemons, and these may result in
  false positives (we identify "foo" as a daemon but it really isn't) and
  false negatives (we fail to identify "bar" as a daemon, and don't check it for RELRO).</p>

ElfHasStabs
  <p>Executable has been compiled with <code>-gstabs</code>. This can cause strange
  problems.</p>

SupplementalGroups
  <p>ELF binary or library is setuid/setgid but does not take steps to protect
  group leakage. Solution involves using <code>setgroups()</code> or <code>initgroups()</code>.</p>

# END   RPM::Grill::Plugin::ElfChecks
###############################################################################
# BEGIN RPM::Grill::Plugin::Patches

|Patches
|  This module checks for unapplied patches and for bad values of fuzz.

DuplicatePatch
  <p>Multiple definitions seen for <code>PatchNN</code>.
  This is often caused by a <code>%if</code> in the specfile, but
  it could also be an unintentional duplication.</p>

BadPatchFuzz
  <p>Overriding patch's fuzz factor is a bad idea. It means: "those
  three lines of context that diff provides? Toss some of those
  away, and try again". You can end up with code that compiles
  but is silently corrupt. There really is no reason for this.
  Why not take the time to regenerate your patches?</p>

# END   RPM::Grill::Plugin::Patches
###############################################################################
# BEGIN RPM::Grill::Plugin::SecurityPolicy

|SecurityPolicy
|  FIXME: see bz876281

PolkitError
  <p>Unexpected error. We run xsltproc against a polkit file; the command
  is always expected to return with exit code 0 (success). This error
  indicates that we got nonzero (error) status.</p>

PolkitSelf
  <p>The policy shipped in your package contains a default result
  &lt;tt&gt;auth_self&lt;/tt&gt; or &lt;tt&gt;auth_self_keep&lt;/tt&gt;.  These will allow &lt;b&gt;any&lt;/b&gt;
  user to perform the action by supplying their own password, which they
  presumably know because they were able to log in and invoke the action
  in the first place.  The &lt;tt&gt;auth_self*&lt;/tt&gt; results are therefore
  inappropriate for any actions that could affect the
  system-wide behavior or other users.</p>
  
  <p>Usually, a more appropriate default result is &lt;tt&gt;&lt;b&gt;auth_admin&lt;/b&gt;&lt;/tt&gt;
  or &lt;tt&gt;&lt;b&gt;auth_admin_keep&lt;/b&gt;&lt;/tt&gt;; these protect the system against
  unprivileged users.  (Single-user desktops can still be configured
  to only use the user's password by adding the user to the "wheel" group.)</p>

RubyAdvisoryDB
  <p>Package may be affected by a Ruby Gem CVE. This test compares the Gem
  name and version (but not the release) against a master list of
  <a href="https://github.com/rubysec/ruby-advisory-db">known vulnerabilities</a>.
  If the name+version match a known CVE, this warning is triggered.</p>

  <p>If you have backported a fix, please include the string
  <code>Fix CVE-YYYY-NNNN</code> in your specfile's %changelog section. This
  will silence the warning for a given CVE.</p>

SuspiciousPath
  <p>Package contains a PATH assignment that includes a suspicious path component
  (one of home, tmp or local).</p>

# END   RPM::Grill::Plugin::SecurityPolicy
###############################################################################
# BEGIN RPM::Grill::Plugin::Multilib

|Multilib
|  This module tests for multilib incompatibilities, i.e. conflicts that
|  will prevent 32- and 64-bit versions of a package from being installed
|  together.
|  
|  This may not be important for your package. Perhaps your package will
|  never be installed multilib. There is no mechanism for determining
|  that.

MultilibMismatch
  <p>The 64- and 32-bit versions of FILE differ. This means that yum/rpm
  will refuse to install both versions at once. Please don't blame
  rpmgrill for this: we're just reporting a potential problem. If this
  package will never ever ever be installed multilib, you can ignore
  this warning.</p>

DepGenDisabled
  <p>Build has multilib errors which may be caused by having turned off
  RPM's internal dependency generator. This is horrendously complicated,
  but try starting here:
  <a href="http://fedoraproject.org/wiki/Packaging:AutoProvidesAndRequiresFiltering#Usage">http://fedoraproject.org/wiki/Packaging:AutoProvidesAndRequiresFiltering#Usage</a></p>

# END   RPM::Grill::Plugin::Multilib
###############################################################################
# BEGIN RPM::Grill::Plugin::Manifest

|Manifest
|  This module runs a variety of tests on the RPM manifest, i.e.
|  the list of files shipped in an RPM.

UnownedDirectory
  <p>Your package claims ownership of the parent directory, and at least
  one subdirectory inside the complained-about directory, but not the
  complained-about directory itself. You probably need to fix this
  using the rpm <code>%dir</code> directive in your specfile.</p>
  
  <p>See <a href="https://fedoraproject.org/wiki/Packaging:UnownedDirectories">https://fedoraproject.org/wiki/Packaging:UnownedDirectories</a></p>

NonFHS
  <p>Your package ships a file or directory underneath a protected
  part of the Filesystem Hierarchy Standard (e.g. <code>/usr/local</code>).
  See <a href="http://www.pathname.com/fhs/">http://www.pathname.com/fhs/</a>.</p>

NonSystemdFile
  <p>As of Fedora 17, <code>/etc/init.d</code> is obsolete. All packages should be
  using <b>systemd</b>.
  See <a href="https://fedoraproject.org/wiki/Packaging:Systemd">https://fedoraproject.org/wiki/Packaging:Systemd</a></p>

MoveToUsr
  <p>Fedora 17 and RHEL7 are doing away with <code>/bin</code>, <code>/sbin</code>, and <code>/lib*</code>.
  Your package has one or more files that are still living there. These
  should be moved to the corresponding place under <code>/usr</code>.
  See <a href="http://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge">freedesktop.org</a>.</p>

BinfileBadOwner
  <p>Non-setuid files under <code>/bin</code>, <code>/usr/bin</code>, <code>/sbin</code>, or <code>/usr/sbin</code>;
  and ELF DSOs; must be owned by user root.</p>

BinfileBadGroup
  <p>Non-setgid files under <code>/bin</code>, <code>/usr/bin</code>, <code>/sbin</code>, or <code>/usr/sbin</code>;
  and ELF DSOs; must be owned by group root.</p>

# END   RPM::Grill::Plugin::Manifest
###############################################################################
# BEGIN RPM::Grill::Plugin::ManPages

|ManPages
|  This module checks man pages for validity, and checks that
|  man pages are present for all important executables.

ManPageUnknownExtension
  <p>The file extension of a man page should be .<code>section</code>.gz, where
  <code>section</code> is a digit or the letter "n" perhaps followed by more
  letters: .1.gz, .0pm.gz, .8.gz</p>

ManPageBadGzip
  <p>Although the man page ends in <code>.gz</code>, gzip encountered an error
  trying to decompress it. See diagnostic message for more info.
  This probably means that the file isn't gzip'ed even though it
  ends in .gz.</p>

ManPageReadError
  <p>Encountered an error reading the man page file. This error is not
  likely to happen; if it does, the maintainer of this tool needs to know
  about it.</p>

ManPageNoContent
  <p>We look for certain key roff macros in the file content; these
  macros are expected in all man pages. This diagnostic means that none
  of those macros appear in the man page file.</p>

ManPageMissing
  <p>Certain files are expected to have corresponding man pages; as
  of 2012-11-28 the rule is that: (a) any executable regular
  file <code>foo</code> in <code>/bin</code> <code>/sbin</code> <code>/usr/sbin</code> or <code>/etc/init.d</code>;
  or (b) any file marked as <code>%config</code> in the specfile; should have a
  corresponding man page in <code>/usr/share/man</code>.</p>
  
  <p>Hint: if you see this warning on a file in /etc, reassess whether
  you should be marking the file as <code>%config</code>: if it's not meant to
  be touched by a sysadmin, it probably shouldn't be <code>%config</code>.</p>

# END   RPM::Grill::Plugin::ManPages
###############################################################################
# BEGIN RPM::Grill::Plugin::RpmScripts

|RpmScripts
|  This module checks for problems in the rpm install scripts,
|  such as running 'useradd' with the wrong uid.

UseraddNoHomedir
  <p>Invocation of <code>useradd</code> without an explicit home directory.</p>

UseraddBadShell
  <p>Invocation of <code>useradd</code> with an unexpected login shell: the expectation
  is that shell will be <code>/sbin/nologin</code></p>

UseraddNoShell
  <p>Invocation of <code>useradd</code> without a -s/--shell option. This is probably bad.</p>

UseraddWrongUid
  <p>Invocation of <code>useradd</code> with the wrong numeric UID for an account.
  This error means that there <b>is</b> a UID defined for the user in
  the <b>setup</b> package. You should be using that UID.</p>

UseraddUnknownUid
  <p>Blah blah FIXME</p>

UseraddCheckUid
  <p>This is a case that rpmgrill can't realistically verify on its own, because
  rpm macros and/or shell environment variables may not expand the same way
  in the rpmgrill environment as they do in real life.</p>

UseraddNoUid
  <p>Invoking <code>useradd</code> without an explicit UID.</p>

GroupaddWrongGid
  
GroupaddCheckGid
  <p>This is a case that rpmgrill can't realistically verify on its own, because
  rpm macros and/or shell environment variables may not expand the same way
  in the rpmgrill environment as they do in real life.</p>

# END   RPM::Grill::Plugin::RpmScripts
###############################################################################
# BEGIN RPM::Grill::Plugin::Setxid

|Setxid
|  This plugin warns about setxid (setuid, setgid) files not on the
|  authorized whitelist.

SetuidDirectory
  <p>There is no reason to have a Setuid directory. Perhaps you meant to
  make it set<b>g</b>id (group)?</p>

UnauthorizedSetxid
  <p>rpmgrill found a setuid/setgid file which is <b>not on the whitelist</b>.</p>
  
  <p>All setgid directories and setuid/setgid files must be enumerated in
  a trusted whitelist. This whitelist is maintained by FIXME.</p>
  
  <p>The whitelist lists both file path and package. It is possible for this
  test to trigger if your RPM provides a setxid file that another package
  also provides, eg <code>/usr/bin/crontab</code>. If this is intentional and desired,
  the whitelist maintainer can add your RPM+file as well.</p>

WrongFileMode
  <p>rpmgrill found a setuid/setgid file which is whitelisted, but
  the file <b>permissions don't match</b> what's specified in the whitelist.</p>
  
  <p>All setgid directories and setuid/setgid files must be enumerated in
  a trusted whitelist. This whitelist is maintained by FIXME.</p>

WrongFileUser
  <p>rpmgrill found a setuid/setgid file which is whitelisted, but
  the file <b>owner doesn't match</b> the one specified in the whitelist.</p>
  
  <p>All setgid directories and setuid/setgid files must be enumerated in
  a trusted whitelist. This whitelist is maintained by FIXME.</p>

WrongFileGroup
  <p>rpmgrill found a setuid/setgid file which is whitelisted, but
  the file <b>group doesn't match</b> the one specified in the whitelist.</p>
  
  <p>All setgid directories and setuid/setgid files must be enumerated in
  a trusted whitelist. This whitelist is maintained by FIXME.</p>

# END   RPM::Grill::Plugin::Setxid
###############################################################################
# BEGIN RPM::Grill::Plugin::BuildLog

|BuildLog
|  This module scans the build logs (all arches), looking for
|  and griping about common warnings. These are warnings that
|  may still result in a successful build but which could result
|  in broken or insecure executables.

MacroExpansion
  <p>This test has not yet triggered. If it does, it probably means you
  have something like this in your specfile:</p>
  
  <pre>    (cd subdir; %patch ...)</pre>
  
  
  <p>...which looks sane until you realize that <code>%patch</code> only works
  at the beginning of a line in the specfile, and something like
  the above is interpreted by the shell, which uses percent as
  job control.</p>

BufferOverflow
  <p>Your build log includes the words <code>will always overflow destination buffer</code>,
  which indicate a gcc warning that might be worth double-checking.</p>

TypePun
  <p>This can often be fixed by adding <code>-fno-strict-aliasing</code> to CFLAGS.</p>

IntegerOverflow
  <p>See <a href="https://www.securecoding.cert.org/confluence/display/seccode/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow">securecoding.cert.org</a> for much more information.</p>

BrokenMemset
  <p>Your build log includes the words <code>memset used with constant zero length parameter</code>.</p>

PatchApply
  <p>Possibly corrupt patch. You are encouraged to investigate.</p>

MakeError
  <p>Possible error trapped by 'make'. This indicates the presence of
  <code>make [...] Error</code> somewhere in the log.</p>

MiscBuildError
  <p>Possible error in the build log. This indicates the presence of
  <code>failed with exit status:</code> somewhere in the log.</p>

# END   RPM::Grill::Plugin::BuildLog
###############################################################################
# BEGIN RPM::Grill::Plugin::DesktopLint

|DesktopLint
|  This module checks for common problems in .desktop files. We run
|  the RHEL 'desktop-file-validate' program, and also run consistency
|  checks of our own on the Exec and Icon lines.

DesktopFileValidation
  <p>rpmgrill invokes <code>desktop-file-validate</code> on .desktop files.
  This is the output from that command.</p>

DesktopExecFileMissing
  <p>Your .desktop file includes <code>Exec=<i>foo</i></code>, but
  there's no /usr/bin/<i>foo</i> in this package or any of its subpackages.
  This probably means that <i>foo</i> is provided by a dependency.</p>

DesktopExecFileUnexecutable
  <p>Your .desktop file includes <code>Exec=<i>foo</i></code>, but
  the corresponding bin file is not world-executable.</p>

DesktopExecMissingReq
  <p>Your .desktop file uses htmlview or xdg-open, but your specfile
  does not have a matching <code>Require:</code> line for that tool.</p>

DesktopIconFileMissing
  <p>Your .desktop file specifies an icon which is not present in this package.</p>
  
  <p>FIXME: this is probably a false alarm, because the icon may be in
  another package. But there's not really any way for us to
  know or test that. Should we just remove this test?</p>

DesktopIconFileUnreadable
  <p>Your .desktop file specifies an icon which is not world-readable.</p>

# END   RPM::Grill::Plugin::DesktopLint
###############################################################################
