Bug#775449: Provide sha size param instead of using environmental variable

To: submit@bugs.debian.org
Subject: Bug#775449: Provide sha size param instead of using environmental variable
From: jnqnfe <jnqnfe@gmail.com>
Date: Thu, 15 Jan 2015 19:53:47 +0000
Message-id: <[🔎] 54B81ACB.6070601@gmail.com>
Reply-to: jnqnfe <jnqnfe@gmail.com>, 775449@bugs.debian.org

Package: debootstrap
Tags: security patch

I am not comfortable with allowing a SHA_SIZE environmental variable,
defined at some point prior to running debootstrap, to dictate the
security of checksum verification performed by debootstrap. I would much
prefer to see the default overridden only by an explicitly provided
parameter.

The patch attached implements this.

The patch:
 - Adds provision of a new --sha-size parameter for specifying the size
variant of the sha checksum binary to use.
 - Preserves the current default of 256.
 - Builds on top of my bug #775444 patch to replace the new 'sha binary
unavailable warning' with an error.
 - Removes the sha1 fallback, requiring users to explicitly specify
--sha-size=1 if they need sha1sum to be used.

commit cce61c7c3d89293506817df0dd6ee646b8d8092e
Author: jnqnfe <jnqnfe@gmail.com>
Date:   Thu Jan 15 19:38:44 2015 +0000

    Provide sha size param instead of using environmental variable

diff --git a/debootstrap b/debootstrap
index c383517..8d40818 100755
--- a/debootstrap
+++ b/debootstrap
@@ -46,6 +46,7 @@ VERBOSE=""
 CERTIFICATE=""
 CHECKCERTIF=""
 PRIVATEKEY=""
+SHA_SIZE=""
 
 DEF_MIRROR="http://ftp.us.debian.org/debian";
 DEF_HTTPS_MIRROR="https://mirrors.kernel.org/debian";
@@ -118,6 +119,8 @@ usage()
       --private-key=file     read the private key from file
       --certificate=file     use the client certificate stored in file (PEM)
       --no-check-certificate do not check certificate against certificate authorities
+      --sha-size=size        used for specifying which size variant of sha checksum to
+                             use in performing checksum verifications, default is 256
 EOF
 }
 
@@ -345,6 +348,17 @@ if [ $# != 0 ] ; then
 		CHECKCERTIF="--no-check-certificate"
 		shift
 		;;
+	    --sha-size|--sha-size=?*)
+		if [ "$1" = "--sha-size" -a -n "$2" ]; then
+			SHA_SIZE="--sha-size=$2"
+			shift 2
+		elif [ "$1" != "${1#--sha-size=}" ]; then
+			SHA_SIZE="--sha-size=${1#--sha-size=}"
+			shift 1
+		else
+		       error 1 NEEDARG "option requires an argument %s" "$1"
+		fi
+		;;
 	    --*)
 		error 1 BADARG "unrecognized or invalid option %s" "$1"
 		;;
@@ -461,8 +475,7 @@ if [ -z "$SHA_SIZE" ]; then
 	SHA_SIZE=256
 fi
 if ! in_path "sha${SHA_SIZE}sum" && ! in_path "sha${SHA_SIZE}"; then
-	warning SHA_SIZE "Cannot find binary for checking sha%s checksums, falling back to sha1" "${SHA_SIZE}"
-	SHA_SIZE=1
+	error 1 SHA_SIZE "Cannot find binary for checking sha%s checksums" "${SHA_SIZE}"
 fi
 DEBOOTSTRAP_CHECKSUM_FIELD="SHA$SHA_SIZE"

Reply to:

Prev by Date: Bug#775444: Issue warning if falling back to sha1
Next by Date: Re: Grub-legacy graphics issue
Previous by thread: Bug#775444: Issue warning if falling back to sha1
Next by thread: Bug#775449: Provide sha size param instead of using environmental variable
Index(es):
- Date
- Thread