[Reproducible-commits] [dpkg] 40/105: Dpkg::Source::Package: Error out on sources w/o any strong digest

Niko Tyni ntyni at moszumanska.debian.org
Mon May 2 13:49:50 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ntyni pushed a commit to branch ntyni/reproducible_builds
in repository dpkg.

commit 040973c7a1e50b78ef042ef5ffbfff0440c24700
Author: Guillem Jover <guillem at debian.org>
Date:   Wed Mar 23 10:25:47 2016 +0100

    Dpkg::Source::Package: Error out on sources w/o any strong digest
    
    This is used by dpkg-source --extract, which can still be disabled with
    --no-check.
---
 debian/changelog               | 3 +++
 scripts/Dpkg/Source/Package.pm | 7 ++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 9b379c8..dc4ad16 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -76,6 +76,9 @@ dpkg (1.18.5) UNRELEASED; urgency=medium
     - Add new functions to validate and parse architecture names in Dpkg::Arch.
     - Make the dependency parser more strict in Dpkg::Deps. Closes: #784806
     - Add strong digest marking support to Dpkg::Checksums.
+    - Error out on source packages without any strong digests in
+      Dpkg::Source::Package, used by dpkg-source --extract, which can still
+      be disabled with --no-check.
   * Build system:
     - Fix building development documentation.
     - Remove unused UA_LIBS variable.
diff --git a/scripts/Dpkg/Source/Package.pm b/scripts/Dpkg/Source/Package.pm
index de48bc6..9abe444 100644
--- a/scripts/Dpkg/Source/Package.pm
+++ b/scripts/Dpkg/Source/Package.pm
@@ -328,15 +328,20 @@ sub get_files {
 
 Verify the checksums embedded in the DSC file. It requires the presence of
 the other files constituting the source package. If any inconsistency is
-discovered, it immediately errors out.
+discovered, it immediately errors out. It will make sure at least one strong
+checksum is present.
 
 =cut
 
 sub check_checksums {
     my $self = shift;
     my $checksums = $self->{checksums};
+
     # add_from_file verify the checksums if they are already existing
     foreach my $file ($checksums->get_files()) {
+        if (not $checksums->has_strong_checksums($file)) {
+            error(g_('source package uses only weak checksums'));
+        }
 	$checksums->add_from_file($self->{basedir} . $file, key => $file);
     }
 }

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git

More information about the Reproducible-commits mailing list