Bug#1001931: hyperspec: Hyperspec download is not verified nor checksummed

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1001931: hyperspec: Hyperspec download is not verified nor checksummed
From: Aurora <rind38@disroot.org>
Date: Sun, 19 Dec 2021 04:27:29 +0000
Message-id: <[🔎] 87ee69p6by.fsf@disp9258>
Reply-to: Aurora <rind38@disroot.org>, 1001931@bugs.debian.org

Package: hyperspec
Severity: normal
Tags: patch
X-Debbugs-Cc: rind38@disroot.org

Dear Maintainer,

I noticed that the download for the Hyperspec tarball is never
verified during the installation process.

This undermines the security guarantees otherwise provided by the Apt
packaging system. It is also possibly contrary to
build-reproducibility guidelines, although I haven't ensured so.

I am including a patch which adds such verification for v7.0 of the
Hyperspec tarball. It changes seldom-enough that it shouldn't be
problematic to update when needed.

The checksum was taken from downloads done over my home connection, as
well as Tor. It has also been verified to be known on VirusTotal. This
was in order to get some degree of certainty that the checksum I had
obtained was valid & known for a long time (and not some suspicious
new variant).

The patch should work as-is, but I welcome review and modification of
it.

>From 28a3d262cf131818235598ee0db8d0a5738cd432 Mon Sep 17 00:00:00 2001
From: Aurora <rind38@disroot.org>
Date: Sat, 18 Dec 2021 23:58:56 +0000
Subject: [PATCH] Add a checksum verification for the downloaded tarball

A checksum is required to ensure the reproducibility of results as
well as maintaining the guarantees expected from the Debian packaging
system.
---
 debian/postinst | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/debian/postinst b/debian/postinst
index 28b6056..f0a8514 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -24,6 +24,7 @@ set -e
 #     installation fails and the `postinst' is called with `abort-upgrade',
 #     `abort-remove' or `abort-deconfigure'.
 
+CURRENT_HASH="1ac1666a9dc697dbd8881262cad4371bcd2e9843108b643e2ea93472ba85d7c3"
 FILE=/root/tmp/HyperSpec-7-0.tar.gz
 OLD_INDEX=/usr/share/doc/hyperspec/FrontMatter/index.html
 NEW_INDEX=/usr/share/doc/hyperspec/Front/index.htm
@@ -81,7 +82,15 @@ download_file()
     echo "Downloading the hyperspec from the Internet" 1>&2
     mkdir -p /root/tmp && \
 	wget --directory-prefix=/root/tmp --passive \
-             ftp://ftp.lispworks.com/pub/software_tools/reference/HyperSpec-7-0.tar.gz 
+             ftp://ftp.lispworks.com/pub/software_tools/reference/HyperSpec-7-0.tar.gz
+    HASH=`sha256sum /root/tmp/HyperSpec-7-0.tar.gz | cut -d' ' -f1`
+    if [ "$HASH" != "$CURRENT_HASH" ]; then
+	echo "Invalid file hash for HyperSpec-7-0.tar.gz" 1>&2
+	echo "Received hash: $HASH" 1>&2
+	echo "Expected hash: $CURRENT_HASH" 1>&2
+	rm -r "/root/tmp/"
+	return 1
+    fi
 }
 
 download_hyperspec()
-- 
2.30.2

Reply to:

Follow-Ups:
- Bug#1001931: marked as done (hyperspec: Hyperspec download is not verified nor checksummed)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: [bts-link] source package clisp
Next by Date: ecl is marked for autoremoval from testing
Previous by thread: [bts-link] source package clisp
Next by thread: Bug#1001931: marked as done (hyperspec: Hyperspec download is not verified nor checksummed)
Index(es):
- Date
- Thread