dpkg-genbuildinfo: Add support for a new Build-Tainted-By field

This field will contain a list of tainting reason tags, which can denote
that the current build has potentially been broken.

Suggested-by: Alexander E. Patrakov <patrakov@gmail.com>

7 files changed, 44 insertions, 3 deletions

diff --git a/debian/changelog b/debian/changelog
index 7006c9093..58a306652 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -23,6 +23,8 @@ dpkg (1.19.5) UNRELEASED; urgency=medium
     Closes: #922039
   * dpkg-maintscript-helper: Restrict find for dir-to-symlink move to
     -maxdepth 1. Thanks to Ralf Treinen <treinen@free.fr>. Closes: #922799
+  * dpkg-genbuildinfo: Add support for a new Build-Tainted-By field in
+    .buildinfo files. Suggested by Alexander E. Patrakov <patrakov@gmail.com>.
   * Documentation:
     - start-stop-daemon(1): Document behavior of --pidfile security checks.
       Closes: #921557
diff --git a/man/deb-buildinfo.man b/man/deb-buildinfo.man
index 5013aa047..1a1ddc7d1 100644
--- a/man/deb-buildinfo.man
+++ b/man/deb-buildinfo.man
@@ -149,6 +149,17 @@ via some pattern match to avoid leaking possibly sensitive information.
 On Debian and derivatives only build paths starting with \fI/build/\fP
 will emit this field.
 .TP
+.B Build\-Tainted\-By:
+.TQ
+.I " taint-reason-list"
+This folded field contains a space-separated list of non-exhausitve reason
+tags (formed by alphanumeric and dash characters) which identify why the
+current build has been tainted (since dpkg 1.19.5).
+.IP
+On Debian and derivatives the following reason tags can be emitted:
+.RS
+.RE
+.TP
 .BR Installed\-Build\-Depends: " (required)"
 .TQ
 .I " package-list"
diff --git a/scripts/Dpkg/Control/FieldsCore.pm b/scripts/Dpkg/Control/FieldsCore.pm
index b100366e1..f460433fc 100644
--- a/scripts/Dpkg/Control/FieldsCore.pm
+++ b/scripts/Dpkg/Control/FieldsCore.pm
@@ -176,6 +176,11 @@ our %FIELDS = (
         allowed => CTRL_INFO_PKG,
         separator => FIELD_SEP_SPACE,
     },
+    'build-tainted-by' => {
+        name => 'Build-Tainted-By',
+        allowed => CTRL_FILE_BUILDINFO,
+        separator => FIELD_SEP_SPACE,
+    },
     'built-for-profiles' => {
         name => 'Built-For-Profiles',
         allowed => ALL_PKG | CTRL_FILE_CHANGES,
@@ -634,7 +639,7 @@ our %FIELD_ORDER = (
         qw(format source binary architecture version binary-only-changes),
         @src_checksums_fields,
         qw(build-origin build-architecture build-kernel-version build-date
-        build-path installed-build-depends environment),
+        build-path build-tainted-by installed-build-depends environment),
     ],
     CTRL_FILE_CHANGES() => [
         qw(format date source binary binary-only built-for-profiles architecture
diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
index 7d4b6d802..7b5244042 100644
--- a/scripts/Dpkg/Vendor/Debian.pm
+++ b/scripts/Dpkg/Vendor/Debian.pm
@@ -81,6 +81,8 @@ sub run_hook {
         $self->_add_build_flags(@params);
     } elsif ($hook eq 'builtin-system-build-paths') {
         return qw(/build/);
+    } elsif ($hook eq 'build-tainted-by') {
+        return $self->_build_tainted_by();
     } else {
         return $self->SUPER::run_hook($hook, @params);
     }
@@ -439,6 +441,14 @@ sub _add_build_flags {
     }
 }
 
+sub _build_tainted_by {
+    my $self = shift;
+    my %tainted;
+
+    my @tainted = sort keys %tainted;
+    return @tainted;
+}
+
 =head1 CHANGES
 
 =head2 Version 0.xx
diff --git a/scripts/Dpkg/Vendor/Default.pm b/scripts/Dpkg/Vendor/Default.pm
index 40815efde..ed05c3009 100644
--- a/scripts/Dpkg/Vendor/Default.pm
+++ b/scripts/Dpkg/Vendor/Default.pm
@@ -140,6 +140,14 @@ field will be created if the current directory is "/build/dpkg-1.18.0". If
 the list contains "/", the path will always be recorded. If the list is
 empty, the current path will never be recorded.
 
+=item build-tainted-by ()
+
+The hook is called by dpkg-genbuildinfo to determine if the current system
+has been tainted in some way that could affect the resulting build, which
+will be recorded in the B<Build-Tainted-By> field (since dpkg 1.19.5). It
+takes no parameters, but returns a (possibly empty) list of tainted reason
+tags (formed by alphanumeric and dash characters).
+
 =back
 
 =cut
@@ -172,6 +180,8 @@ sub run_hook {
 	my $flags = shift @params;
     } elsif ($hook eq 'builtin-system-build-paths') {
         return ();
+    } elsif ($hook eq 'build-tainted-by') {
+        return ();
     }
 
     # Default return value for unknown/unimplemented hooks
diff --git a/scripts/dpkg-genbuildinfo.pl b/scripts/dpkg-genbuildinfo.pl
index fe296506e..827b6679f 100755
--- a/scripts/dpkg-genbuildinfo.pl
+++ b/scripts/dpkg-genbuildinfo.pl
@@ -437,6 +437,8 @@ if ($use_feature{path}) {
     }
 }
 
+$fields->{'Build-Tainted-By'} = "\n" . join "\n", run_vendor_hook('build-tainted-by');
+
 $checksums->export_to_control($fields);
 
 $fields->{'Installed-Build-Depends'} = collect_installed_builddeps($control);
diff --git a/scripts/t/Dpkg_Control_Fields.t b/scripts/t/Dpkg_Control_Fields.t
index 00f951052..8e0bd721b 100644
--- a/scripts/t/Dpkg_Control_Fields.t
+++ b/scripts/t/Dpkg_Control_Fields.t
@@ -20,7 +20,7 @@ use Test::More;
 use Test::Dpkg qw(:paths);
 
 BEGIN {
-    plan tests => 2416;
+    plan tests => 2438;
 
     use_ok('Dpkg::Control::Types');
     use_ok('Dpkg::Control::FieldsCore');
@@ -167,7 +167,8 @@ my %fields = (
             qw(Format Source Binary Architecture Version Binary-Only-Changes),
             @src_checksums,
             qw(Build-Origin Build-Architecture Build-Kernel-Version
-               Build-Date Build-Path Installed-Build-Depends Environment)
+               Build-Date Build-Path Build-Tainted-By
+               Installed-Build-Depends Environment)
         ],
     },
     CTRL_FILE_CHANGES() => {