[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#856210: libdebian-installer: please parse SHA256 field and add it to di_* structs

With that patch, reverse-deps anna and cdebootstrap shall FTBFS with:

| gcc -Wdate-time -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -g -O2 -fdebug-prefix-map=/home/steven/git/anna=. -specs=/usr/share/dpkg/pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wall -W -ggdb -Wdate-time -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE  -c -o anna.o anna.c
| anna.c: In function ‘install_modules’:
| anna.c:321:25: error: ‘di_package {aka struct di_package}’ has no member named ‘md5sum’
|      if (! md5sum(package->md5sum, dest_file)) {
|                          ^~

| gcc -DHAVE_CONFIG_H -I. -I../../src -I..  -I../../include -Wdate-time -D_FORTIFY_SOURCE=2  -g -O2 -fdebug-prefix-map=/home/steven/git/cdebootstrap-0.7.6=. -specs=/usr/share/dpkg/pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -std=gnu99 -c -o gpg.o ../../src/gpg.c
| ../../src/check.c: In function ‘check_deb’:
| ../../src/check.c:61:40: error: ‘di_package {aka struct di_package}’ has no member named ‘md5sum’
|    return check_sum (target, "md5sum", p->md5sum, message);
|                                         ^~
| ../../src/check.c: In function ‘check_packages’:
| ../../src/check.c:75:35: error: ‘di_release {aka struct di_release}’ has no member named ‘md5sum’
|    item = di_hash_table_lookup (rel->md5sum, &key);
|                                    ^~

so it should be quite clear that they must implement a new hashing
algorithm;  and this makes absolutely sure they are not still using MD5
unintentionally (which was the case in #856215).

If my libdebian-installer patch is okay, I will submit the patches for
anna and cdebootstrap (bugs are already filed against them).  Hopefully
no other reverse-dependencies would be affected (because they do not use
the md5sums field, and the struct size is not changing);  though if they
do use, I'd prefer they FTBFS so that we find out.

Steven Chamberlain

Attachment: signature.asc
Description: Digital signature

Reply to: