--- Begin Message ---
Package: hyperspec
Severity: normal
Tags: patch
X-Debbugs-Cc: rind38@disroot.org
Dear Maintainer,
I noticed that the download for the Hyperspec tarball is never
verified during the installation process.
This undermines the security guarantees otherwise provided by the Apt
packaging system. It is also possibly contrary to
build-reproducibility guidelines, although I haven't ensured so.
I am including a patch which adds such verification for v7.0 of the
Hyperspec tarball. It changes seldom-enough that it shouldn't be
problematic to update when needed.
The checksum was taken from downloads done over my home connection, as
well as Tor. It has also been verified to be known on VirusTotal. This
was in order to get some degree of certainty that the checksum I had
obtained was valid & known for a long time (and not some suspicious
new variant).
The patch should work as-is, but I welcome review and modification of
it.
>From 28a3d262cf131818235598ee0db8d0a5738cd432 Mon Sep 17 00:00:00 2001
From: Aurora <rind38@disroot.org>
Date: Sat, 18 Dec 2021 23:58:56 +0000
Subject: [PATCH] Add a checksum verification for the downloaded tarball
A checksum is required to ensure the reproducibility of results as
well as maintaining the guarantees expected from the Debian packaging
system.
---
debian/postinst | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/debian/postinst b/debian/postinst
index 28b6056..f0a8514 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -24,6 +24,7 @@ set -e
# installation fails and the `postinst' is called with `abort-upgrade',
# `abort-remove' or `abort-deconfigure'.
+CURRENT_HASH="1ac1666a9dc697dbd8881262cad4371bcd2e9843108b643e2ea93472ba85d7c3"
FILE=/root/tmp/HyperSpec-7-0.tar.gz
OLD_INDEX=/usr/share/doc/hyperspec/FrontMatter/index.html
NEW_INDEX=/usr/share/doc/hyperspec/Front/index.htm
@@ -81,7 +82,15 @@ download_file()
echo "Downloading the hyperspec from the Internet" 1>&2
mkdir -p /root/tmp && \
wget --directory-prefix=/root/tmp --passive \
- ftp://ftp.lispworks.com/pub/software_tools/reference/HyperSpec-7-0.tar.gz
+ ftp://ftp.lispworks.com/pub/software_tools/reference/HyperSpec-7-0.tar.gz
+ HASH=`sha256sum /root/tmp/HyperSpec-7-0.tar.gz | cut -d' ' -f1`
+ if [ "$HASH" != "$CURRENT_HASH" ]; then
+ echo "Invalid file hash for HyperSpec-7-0.tar.gz" 1>&2
+ echo "Received hash: $HASH" 1>&2
+ echo "Expected hash: $CURRENT_HASH" 1>&2
+ rm -r "/root/tmp/"
+ return 1
+ fi
}
download_hyperspec()
--
2.30.2
--- End Message ---
--- Begin Message ---
Source: hyperspec
Source-Version: 1.33
Done: Sébastien Villemot <sebastien@debian.org>
We believe that the bug you reported is fixed in the latest version of
hyperspec, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1001931@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sébastien Villemot <sebastien@debian.org> (supplier of updated hyperspec package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 20 Dec 2021 16:15:49 +0100
Source: hyperspec
Architecture: source
Version: 1.33
Distribution: unstable
Urgency: medium
Maintainer: Debian Common Lisp Team <debian-common-lisp@lists.debian.org>
Changed-By: Sébastien Villemot <sebastien@debian.org>
Closes: 1001931
Changes:
hyperspec (1.33) unstable; urgency=medium
.
* Team upload
.
[ Debian Janitor ]
* Remove constraints unnecessary since stretch:
+ Build-Depends: Drop versioned constraint on debhelper.
* Trim trailing whitespace.
* Bump debhelper dependency to >= 11, since that's what is used in
debian/compat.
* Bump debhelper from old 11 to 13.
* Set debhelper-compat version in Build-Depends.
.
[ Sébastien Villemot ]
* Add Rules-Requires-Root: no
* d/control: mark XS-Autobuild: yes
* Bump S-V to 4.6.0
* postinst: verify checksum of the HyperSpec tarball after download.
Thanks to Aurora. (Closes: #1001931)
Checksums-Sha1:
43fcf10d914fa25fb22b79232fe166a3beb362d8 1642 hyperspec_1.33.dsc
34f1a26784b83ce1949f8167a7d0caf307817272 12036 hyperspec_1.33.tar.xz
3ea434d529bfb5a5dbde1a4ccde8aea5ae238bb6 5746 hyperspec_1.33_amd64.buildinfo
Checksums-Sha256:
85110cf729312173bc1bd7d2ed88ebc89b714245695584b6a3e1037886015fba 1642 hyperspec_1.33.dsc
b8e2ee259da2213d0f309f5d833e5a3df949b6072d7a9a8b9480ecdb684c28c0 12036 hyperspec_1.33.tar.xz
138343e20d0e525b74ff8e7d25b63d6cca8e2aa96fb104d8ab026ba08d263353 5746 hyperspec_1.33_amd64.buildinfo
Files:
a892d19d3885855d0019a9217e55d695 1642 contrib/doc optional hyperspec_1.33.dsc
140a3e80e43d42a42a4bf37b51e5cd43 12036 contrib/doc optional hyperspec_1.33.tar.xz
ce999b0a152cdbc2479ae785c111a1f1 5746 contrib/doc optional hyperspec_1.33_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEU5UdlScuDFuCvoxKLOzpNQ7OvkoFAmHAoHMACgkQLOzpNQ7O
vkrVIBAAmMLVDqOWx2hDBXz+ieJHSNPHuMQfL4tiw7vWRlUt+u6ceq13bjEcigxi
vexqlF0QPy/paj9PUv+6kXqBzatCV7FIvVbNs3WCxNu0ovjusE3Xq7zsR13qHHzp
hoVJZA3/mojcx1Q9kZAb37LiZmFBnXFeAyFWelpcjOQZpdcUJRfHT+KiJ5Qs2M9u
dk9qDnGGfMg5CHqIf5ZsNcp++d11E9qC+boQTSIxTapiZpoKX3TUPjXEnGS18vFq
vjrjbyzjV2eTNTMinxEBZIOJEB7ZSVJQy5/70E4cmZJHXBj0Ca31MBMZDYSa8aIe
hr8KDV1y1TbebotVb7lKsZ1bnx3tKpDOcYhhBCTAKbKcSo2H2SiNIjgcTd15exgr
lXXz2pQF2Z3y1qNNyjNcuzFnNOf/cDh4/NJgUHCZ4+CTq0uDoYPvo7l0TzrKaO/V
HenYXMVbwr47ujHNi2qpraMUNclXMjnAYVfqjf55+rcIgcoiof40wOHum2ReKujC
48RgS/UFhNisEx+BGk8mIlk56Ikk/mS9BVZV/R8GItPXGdO2y8jT6Eep6H3W8uZS
swuZI1AzFv+AIVs8Lbw1K15T4mRscbKv9Z3tiImb6qYUbfrMaUAO3aPr1QQkQUfs
xpWUDGrc764G86qWL13dYkAVSrnaYoAqwtKKYvdz+1CAfEPHoGA=
=oeQy
-----END PGP SIGNATURE-----
--- End Message ---