From 344e2a492a776601c7e3b1843102d6918ba30cf0 Mon Sep 17 00:00:00 2001
From: Holger Levsen <holger@layer-acht.org>
Date: Fri, 2 Jun 2017 13:18:04 +0200
Subject: reproducible Debian: fixup directory name and remake link

Signed-off-by: Holger Levsen <holger@layer-acht.org>
---
 .../p64b-armhf-rb/usr/local/bin/dsa-check-packages | 362 +++++++++++++++++++++
 1 file changed, 362 insertions(+)
 create mode 100755 hosts/p64b-armhf-rb/usr/local/bin/dsa-check-packages

(limited to 'hosts/p64b-armhf-rb/usr/local/bin/dsa-check-packages')

diff --git a/hosts/p64b-armhf-rb/usr/local/bin/dsa-check-packages b/hosts/p64b-armhf-rb/usr/local/bin/dsa-check-packages
new file mode 100755
index 00000000..28844e5a
--- /dev/null
+++ b/hosts/p64b-armhf-rb/usr/local/bin/dsa-check-packages
@@ -0,0 +1,362 @@
+#!/usr/bin/perl
+
+# dsa-check-packages
+
+# checks for obsolete/local and upgradeable packages.
+#
+# packages for the obsolete/local check can be ignored, by
+# listing their full name in /etc/nagios/obsolete-packages-ignore
+# or by having a regex (starting a line with "/") that matches
+# the packagename in said file.
+#
+# Takes one optional argument, the location of the ignore file.
+
+
+# Copyright (C) 2008, 2009 Peter Palfrader <peter@palfrader.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use English;
+
+my $IGNORE = "/etc/nagios/obsolete-packages-ignore";
+my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d";
+
+my %CODE = (
+	'OK'            => 0,
+	'WARNING'       => 1,
+	'CRITICAL'      => 2,
+	'UNKNOWN'       => 3
+);
+my $EXITCODE = 'OK';
+sub record($) {
+	my ($newexit) = @_;
+	die "code $newexit not defined\n" unless defined $CODE{$newexit};
+
+	if ($CODE{$newexit} > $CODE{$EXITCODE}) {
+		$EXITCODE = $newexit;
+	};
+}
+
+
+
+sub get_packages {
+	$ENV{'COLUMNS'} = 1000;
+	$ENV{'LC_ALL'} = 'C';
+	open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n");
+	my @lines = <F>;
+	close(F);
+	chomp(@lines);
+
+	my $line;
+	my $has_arch = 0;
+	while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) {
+		if ($line =~ /Architecture/) { $has_arch = 1; }
+	}
+
+	my %pkgs;
+	for $line (@lines) {
+		my ($state, $pkg, $version, $arch, undef) = split(/  */, $line);
+		$arch = '' unless $has_arch;
+		$pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch }
+	}
+
+	my $installed = $pkgs{'ii'};
+	delete $pkgs{'ii'};
+
+	my @installed_packages = keys(%$installed);
+	my @cmd = ("apt-cache", "policy", @installed_packages);
+
+	open my $olderr, ">&STDERR"   or die "Can't dup STDERR: $!";
+	open     STDERR, ">/dev/null" or die "Can't dup STDOUT: $!";
+	open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n");
+	@lines = <F>;
+	close(F);
+	open STDERR, ">&", $olderr  or die "Can't dup OLDERR: $!";
+	chomp(@lines);
+
+	my $pkgname = undef;
+	my $candidate_found = 0;
+	while (defined($line = shift @lines)) {
+		if ($line =~ /^([^ ]*):$/) {
+			# when we have multi-arch capable fu, we require that
+			# apt-cache policy output is in the same order as its
+			# arguments.
+			#
+			# We needs thi, because the output block in apt-cache
+			# policy does not show the arch:
+			#
+			# | weasel@stanley:~$ apt-cache policy libedit2:amd64
+			# | libedit2:
+			# |   Installed: 2.11-20080614-5
+			# |   Candidate: 2.11-20080614-5
+			#
+			# We replace the package name in the output with the
+			# one we asked for ($pkg:$arch) - but to match this up
+			# sanely we need the order to be correct.
+			#
+			# For squeeze systems (no m-a), apt-cache policy output
+			# is all different.
+			$pkgname = $1;
+			$candidate_found = 0;
+			if ($has_arch) {
+				my $from_list = shift @installed_packages;
+				next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for
+
+				my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'};
+				my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'};
+
+				if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386.  dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386
+				    $ma_fix_pkgname eq $from_list) {
+					$pkgname = $from_list;
+				} else {
+					die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n";
+				}
+			}
+		} elsif ($line =~ /^ +Installed: (.*)$/) {
+			# etch dpkg -l does not print epochs, so use this info, it's better
+			$installed->{$pkgname}{'installed'} = $1;
+			# initialize security-update
+			$installed->{$pkgname}{'security-update'} = 0;
+		} elsif ($line =~ /^ +Candidate: (.*)$/) {
+			$installed->{$pkgname}{'candidate'} = $1;
+		} elsif ($line =~ /     ([^ ]+) [0-9]+/) {
+			# check if the next lines show the sources of our candidate
+			if ($1 eq $installed->{$pkgname}{'candidate'}) {
+				$candidate_found = 1;
+			}
+		} elsif (($line =~ / +[0-9]+ [^ ]+\/(security\.([^ ]+\.)?debian\.org|debian-security).*\/updates\//) && $candidate_found ) {
+			$installed->{$pkgname}{'security-update'} = 1;
+		} elsif ($line =~ /^ +\*\*\*/) {
+			$line = shift @lines;
+			my @l = split(/ +/, $line);
+			$installed->{$pkgname}{'origin'} = $l[2];
+			$candidate_found = 0;
+		}
+	}
+
+	my (%current, %obsolete, %outofdate, %security_outofdate);
+	for my $pkgname (keys %$installed) {
+		my $pkg = $installed->{$pkgname};
+
+		unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+
+		if ($pkg->{'candidate'} ne $pkg->{'installed'}) {
+			if ($pkg->{'security-update'}) {
+				$security_outofdate{$pkgname} = $pkg;
+			} else {
+				$outofdate{$pkgname} = $pkg;
+			}
+			next;
+		};
+		if ($pkg->{'origin'} eq '/var/lib/dpkg/status') {
+			$obsolete{$pkgname} = $pkg;
+			next;
+		}
+		$current{$pkgname} = $pkg;
+	}
+
+	$pkgs{'current'} = \%current;
+	$pkgs{'outofdate'} = \%outofdate;
+	$pkgs{'security_outofdate'} = \%security_outofdate;
+	$pkgs{'obsolete'} = \%obsolete;
+	return \%pkgs;
+}
+
+sub load_ignores {
+	my ($ignorefiles, $require_file) = @_;
+
+	my @ignores;
+
+	for my $ignoreitem (@$ignorefiles) {
+		next if (!$require_file and ! -e $ignoreitem);
+
+		my @filestoopen;
+		if (-d $ignoreitem) {
+			opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n");
+			@filestoopen = readdir(DIR);
+			closedir(DIR);
+
+			@filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen;
+			@filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen;
+			@filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen;
+			@filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen;
+		} else {
+			push @filestoopen, $ignoreitem;
+		}
+
+		for my $f (@filestoopen) {
+			open (F, "< $f") or die ("Cannot open $f: $!\n");
+			push @ignores, <F>;
+			close F;
+		}
+	}
+	chomp(@ignores);
+	return \@ignores;
+}
+
+sub check_ignore {
+	my ($pkg, $ignores) = @_;
+
+	my $ignore_this = 0;
+	for my $ignore (@$ignores) {
+		my $ig = $ignore;
+		return 1 if ($ig eq $pkg);
+		if (substr($ig,0,1) eq '/') {
+			substr($ig, 0, 1, '');
+			$ig =~ s,/$,,;
+			return 1 if ($pkg =~ /$ig/);
+		}
+	}
+	return 0
+}
+
+sub filter_ignored {
+	my ($packages, $ignores) = @_;
+
+	my $obs = $packages->{'obsolete'};
+
+	my (%ignored, %bad);
+	for my $pkg (keys %$obs) {
+		if (check_ignore($pkg, $ignores)) {
+			$ignored{$pkg} = $obs->{$pkg};
+		} else {
+			$bad{$pkg} = $obs->{$pkg};
+		};
+	}
+	delete $packages->{'obsolete'};
+	$packages->{'obsolete'} = \%bad;
+	$packages->{'obsolete-ignored'} = \%ignored;
+};
+
+sub usage {
+	my ($fd, $exit) = @_;
+	print $fd "Usage: $PROGRAM_NAME [<ignorefile|dir> [<ignorefile|dir> ...]]\n";
+	exit $exit;
+}
+
+my $ignorefiles = [$IGNORE, $IGNORED];
+my $ignorefile_userset = 0;
+if (@ARGV >= 1) {
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "-h");
+	usage(\*STDOUT, 0) if ($ARGV[0] eq "--help");
+	$ignorefile_userset = 1;
+	$ignorefiles = \@ARGV;
+};
+
+my $ignores = load_ignores($ignorefiles, $ignorefile_userset);
+my $packages = get_packages();
+
+filter_ignored($packages, $ignores);
+
+
+
+my @reportform = (
+	{ 'key' => 'obsolete',
+	  'listpackages' => 1,
+	  'long' => "%d local or obsolete packages: %s",
+	  'short' => "%d obs/loc",
+	  'perf' => "obs_loc=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'outofdate',
+	  'listpackages' => 1,
+	  'long' => "%d out of date packages: %s",
+	  'short' => "%d updates",
+	  'perf' => "outdated=%d;1;5;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'current',
+	  'listpackages' => 0,
+	  'long' => "%d packages current.",
+	  'short' => "%d ok",
+	  'perf' => "current=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'obsolete-ignored',
+	  'listpackages' => 1,
+	  'long' => "%d whitelisted local or obsolete packages: %s",
+	  'short' => "%d obs/loc(ignored)",
+	  'perf' => "obs_ign=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'rc',
+	  'listpackages' => 1,
+	  'long' => "%d packages removed but not purged: %s",
+	  'short' => "%d rc",
+	  'perf' => "rm_unprg=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'hi',
+	  'listpackages' => 1,
+	  'long' => "%d packages on hold: %s",
+	  'short' => "%d hi",
+	  'perf' => "hold=%d;;;0",
+	  'status' => 'OK' },
+	{ 'key' => 'pc',
+	  'listpackages' => 1,
+	  'long' => "%d packages requested to be purged but conffiles still installed: %s",
+	  'short' => "%d pc",
+	  'perf' => "prg_conf=%d;1;;0",
+	  'status' => 'WARNING' },
+	{ 'key' => 'security_outofdate',
+	  'listpackages' => 1,
+	  'long' => "%d packages with outstanding security updates: %s",
+	  'short' => "%d security-updates",
+	  'perf' => "security_outdated=%d;;1;0",
+	  'status' => 'CRITICAL' },
+	);
+
+my @longout;
+my @perfout;
+my @shortout;
+for my $form (@reportform) {
+	my $pkgs = $packages->{$form->{'key'}};
+	delete $packages->{$form->{'key'}};
+	my $num = scalar keys %$pkgs;
+	push @perfout, sprintf($form->{'perf'}, $num);
+	next unless ($num > 0);
+	if ($form->{'listpackages'}) {
+		my $list = join(", ", keys %$pkgs);
+		push @longout, sprintf($form->{'long'}, $num, $list);
+	} else {
+		push @longout, sprintf($form->{'long'}, $num);
+	};
+	push @shortout, sprintf($form->{'short'}, $num);
+	record($form->{'status'});
+};
+if (scalar keys %$packages) {
+	record('WARNING');
+	unshift @shortout, "unk: ".join(", ", keys %$packages);
+	for my $status (sort {$b cmp $a} keys %$packages) {
+		my $pkgs = $packages->{$status};
+		my $list = join(", ", keys %$pkgs);
+		unshift @longout, "Unknown package status $status: $list";
+	};
+}
+
+my $shortout = $EXITCODE.": ".join(", ", @shortout);
+my $longout = join("\n", @longout);
+my $perfout = "|".join(" ", @perfout);
+
+print $shortout,"\n";
+print $longout,"\n";
+print $perfout,"\n";
+
+exit $CODE{$EXITCODE};
-- 
cgit v1.2.3-54-g00ecf