With that patch, reverse-deps anna and cdebootstrap shall FTBFS with: | gcc -Wdate-time -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -g -O2 -fdebug-prefix-map=/home/steven/git/anna=. -specs=/usr/share/dpkg/pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wall -W -ggdb -Wdate-time -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -c -o anna.o anna.c | anna.c: In function ‘install_modules’: | anna.c:321:25: error: ‘di_package {aka struct di_package}’ has no member named ‘md5sum’ | if (! md5sum(package->md5sum, dest_file)) { | ^~ | gcc -DHAVE_CONFIG_H -I. -I../../src -I.. -I../../include -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/home/steven/git/cdebootstrap-0.7.6=. -specs=/usr/share/dpkg/pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -std=gnu99 -c -o gpg.o ../../src/gpg.c | ../../src/check.c: In function ‘check_deb’: | ../../src/check.c:61:40: error: ‘di_package {aka struct di_package}’ has no member named ‘md5sum’ | return check_sum (target, "md5sum", p->md5sum, message); | ^~ | ../../src/check.c: In function ‘check_packages’: | ../../src/check.c:75:35: error: ‘di_release {aka struct di_release}’ has no member named ‘md5sum’ | item = di_hash_table_lookup (rel->md5sum, &key); | ^~ so it should be quite clear that they must implement a new hashing algorithm; and this makes absolutely sure they are not still using MD5 unintentionally (which was the case in #856215). If my libdebian-installer patch is okay, I will submit the patches for anna and cdebootstrap (bugs are already filed against them). Hopefully no other reverse-dependencies would be affected (because they do not use the md5sums field, and the struct size is not changing); though if they do use, I'd prefer they FTBFS so that we find out. Regards, -- Steven Chamberlain steven@pyro.eu.org
Attachment:
signature.asc
Description: Digital signature