[Reproducible-commits] [dpkg] 08/30: dpkg-source: Add new --require-strong-checksums option and change default
Mattia Rizzolo
mattia at debian.org
Mon May 9 09:02:50 UTC 2016
This is an automated email from the git hooks/post-receive script.
mattia pushed a commit to branch pu/reproducible_builds
in repository dpkg.
commit a558a21ae7f04751f7f5dfe724cd9d5f95905734
Author: Guillem Jover <guillem at debian.org>
Date: Thu May 5 20:13:56 2016 +0200
dpkg-source: Add new --require-strong-checksums option and change default
Erroring out when no strong checksums are present is very harsh, as we
do not even do something similar for invalid/unknown/expired signatures
which means doing this for checksums has really no point.
Add a new command-line option to force the behavior to be strict, and
change to a warning.
Regression introduced in commit 040973c7a1e50b78ef042ef5ffbfff0440c24700.
Closes: #823428
Reported-by: Niko Tyni <ntyni at debian.org>
---
debian/changelog | 5 +++++
man/dpkg-source.1 | 5 +++++
scripts/Dpkg/Source/Package.pm | 23 +++++++++++++++++++++--
scripts/dpkg-source.pl | 5 +++++
4 files changed, 36 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index e70cae6..654e40f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,15 @@
dpkg (1.18.7) UNRELEASED; urgency=medium
[ Guillem Jover ]
+ * Add new dpkg-source --require-strong-checksums option and change default.
+ There is no point in erroring out on this condition when signature issues
+ are only warnings, because we cannot guarantee we have functional keys
+ for old signatures. Regression introduced in dpkg 1.18.5. Closes: #823428
* Perl modules:
- Relax dependency restrictions parsing to allow again sloppy spaces
around versions, architectures and profile restrictions.
Regression introduced in 1.18.5. Closes: #823431
+ - Add new require_strong_checksums option to Dpkg::Source::Package.
* Documentation:
- Shorten example symbol names in dpkg-gensymbols to avoid a mandb
warning due to unwrappable lines in translations.
diff --git a/man/dpkg-source.1 b/man/dpkg-source.1
index 3d1f1d7..8e3b932 100644
--- a/man/dpkg-source.1
+++ b/man/dpkg-source.1
@@ -266,6 +266,11 @@ of the official Debian keyrings
(\fI/usr/share/keyrings/debian\-keyring.gpg\fP
and \fI/usr/share/keyrings/debian\-maintainers.gpg\fP).
.TP
+.BI \-\-require\-strong\-checksums
+Refuse to unpack the source package if it does not contain any strong
+checksums (since dpkg 1.18.7).
+Currently the only known checksum considered strong is \fBSHA-256\fP.
+.TP
.B \-\-ignore\-bad\-version
Turns the bad source package version check into a non-fatal warning
(since dpkg 1.17.7).
diff --git a/scripts/Dpkg/Source/Package.pm b/scripts/Dpkg/Source/Package.pm
index f562a5b..969366b 100644
--- a/scripts/Dpkg/Source/Package.pm
+++ b/scripts/Dpkg/Source/Package.pm
@@ -34,7 +34,7 @@ is the one that supports the extraction of the source package.
use strict;
use warnings;
-our $VERSION = '1.01';
+our $VERSION = '1.02';
our @EXPORT_OK = qw(
get_default_diff_ignore_regex
set_default_diff_ignore_regex
@@ -188,6 +188,11 @@ specific for source packages using format "2.0" and "3.0 (quilt)".
If set to 1, the check_signature() method will be stricter and will error
out if the signature can't be verified.
+=item require_strong_checksums
+
+If set to 1, the check_checksums() method will be stricter and will error
+out if there is no strong checksum.
+
=item copy_orig_tarballs
If set to 1, the extraction will copy the upstream tarballs next the
@@ -331,19 +336,29 @@ the other files constituting the source package. If any inconsistency is
discovered, it immediately errors out. It will make sure at least one strong
checksum is present.
+If the object has been created with the "require_strong_checksums" option,
+then any problem will result in a fatal error.
+
=cut
sub check_checksums {
my $self = shift;
my $checksums = $self->{checksums};
+ my $warn_on_weak = 0;
# add_from_file verify the checksums if they are already existing
foreach my $file ($checksums->get_files()) {
if (not $checksums->has_strong_checksums($file)) {
- error(g_('source package uses only weak checksums'));
+ if ($self->{options}{require_strong_checksums}) {
+ error(g_('source package uses only weak checksums'));
+ } else {
+ $warn_on_weak = 1;
+ }
}
$checksums->add_from_file($self->{basedir} . $file, key => $file);
}
+
+ warning(g_('source package uses only weak checksums')) if $warn_on_weak;
}
sub get_basename {
@@ -643,6 +658,10 @@ sub write_dsc {
=head1 CHANGES
+=head2 Version 1.02 (dpkg 1.18.7)
+
+New option: require_strong_checksums in check_checksums().
+
=head2 Version 1.01 (dpkg 1.17.2)
New functions: get_default_diff_ignore_regex(), set_default_diff_ignore_regex(),
diff --git a/scripts/dpkg-source.pl b/scripts/dpkg-source.pl
index c35d100..89281c1 100755
--- a/scripts/dpkg-source.pl
+++ b/scripts/dpkg-source.pl
@@ -66,6 +66,7 @@ my %options = (
copy_orig_tarballs => 1,
no_check => 0,
require_valid_signature => 0,
+ require_strong_checksums => 0,
);
# Fields to remove/override
@@ -189,6 +190,8 @@ while (@options) {
$options{no_check} = 1;
} elsif (m/^--require-valid-signature$/) {
$options{require_valid_signature} = 1;
+ } elsif (m/^--require-strong-checksums$/) {
+ $options{require_strong_checksums} = 1;
} elsif (m/^-V(\w[-:0-9A-Za-z]*)[=:](.*)$/s) {
$substvars->set($1, $2);
} elsif (m/^-T(.*)$/) {
@@ -606,6 +609,8 @@ sub usage {
--no-copy don't copy .orig tarballs
--no-check don't check signature and checksums before unpacking
--require-valid-signature abort if the package doesn't have a valid signature
+ --require-strong-checksums
+ abort if the package contains no strong checksums
--ignore-bad-version allow bad source package versions.")
. "\n" .
get_format_help()
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git
More information about the Reproducible-commits
mailing list