[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1001931: hyperspec: Hyperspec download is not verified nor checksummed

Package: hyperspec
Severity: normal
Tags: patch
X-Debbugs-Cc: rind38@disroot.org

Dear Maintainer,

I noticed that the download for the Hyperspec tarball is never
verified during the installation process.

This undermines the security guarantees otherwise provided by the Apt
packaging system. It is also possibly contrary to
build-reproducibility guidelines, although I haven't ensured so.

I am including a patch which adds such verification for v7.0 of the
Hyperspec tarball. It changes seldom-enough that it shouldn't be
problematic to update when needed.

The checksum was taken from downloads done over my home connection, as
well as Tor. It has also been verified to be known on VirusTotal. This
was in order to get some degree of certainty that the checksum I had
obtained was valid & known for a long time (and not some suspicious
new variant).

The patch should work as-is, but I welcome review and modification of
>From 28a3d262cf131818235598ee0db8d0a5738cd432 Mon Sep 17 00:00:00 2001
From: Aurora <rind38@disroot.org>
Date: Sat, 18 Dec 2021 23:58:56 +0000
Subject: [PATCH] Add a checksum verification for the downloaded tarball

A checksum is required to ensure the reproducibility of results as
well as maintaining the guarantees expected from the Debian packaging
 debian/postinst | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/debian/postinst b/debian/postinst
index 28b6056..f0a8514 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -24,6 +24,7 @@ set -e
 #     installation fails and the `postinst' is called with `abort-upgrade',
 #     `abort-remove' or `abort-deconfigure'.
@@ -81,7 +82,15 @@ download_file()
     echo "Downloading the hyperspec from the Internet" 1>&2
     mkdir -p /root/tmp && \
 	wget --directory-prefix=/root/tmp --passive \
-             ftp://ftp.lispworks.com/pub/software_tools/reference/HyperSpec-7-0.tar.gz 
+             ftp://ftp.lispworks.com/pub/software_tools/reference/HyperSpec-7-0.tar.gz
+    HASH=`sha256sum /root/tmp/HyperSpec-7-0.tar.gz | cut -d' ' -f1`
+    if [ "$HASH" != "$CURRENT_HASH" ]; then
+	echo "Invalid file hash for HyperSpec-7-0.tar.gz" 1>&2
+	echo "Received hash: $HASH" 1>&2
+	echo "Expected hash: $CURRENT_HASH" 1>&2
+	rm -r "/root/tmp/"
+	return 1
+    fi

Reply to: