Control: tag -1 patch Philipp Kern <pkern@google.com> (2013-06-18): > Package: net-retriever > Version: 1.27 > Severity: important > > net-retriever hardcodes yet another Release file check. In the course > of this only md5sums are checked, not the other hashes present in the > file. > > Given the structure of the code I presume this is due to the fact that > only md5sums used to be guaranteed to be present and this code has > not been touched in a long while. As far as I can see, we have MD5Sum, SHA1, and SHA256 for all of oldstable, stable, and testing. I've therefore modified the code to support an unconditional loop over those 3 values, which you can review in the git repository (multi-checksums branch). I've performed some tests, building wheezy and jessie d-i images, using debian-installer/allow_unauthenticated=true, and messing with the Release files. A modified SHA1 wouldn't be noted with pristine d-i images, but would with the patched net-retriever, so I think it's at least basically working. Of course I'm happy to have more eyes on the diffs (which I tried to make as incremental as possible after having first written a big, fat patch). If for some reason (deprecated checksums, or additional checksums) the loop needs to be made conditional, that's probably easily done (e.g. by skipping the sed | foo loop if grep "^$checksumtype:\$" returns nothing). It might be a good idea to add a pointer to net-retriever in whatever part(s) of dak's code and/or configuration that are related, so that FTP folks file a bug when changes happen. Thanks for your time. Mraw, KiBi.
Attachment:
signature.asc
Description: Digital signature