Bogus upstream source tarball signature files in the archive

To: debian-devel@lists.debian.org
Subject: Bogus upstream source tarball signature files in the archive
From: Guillem Jover <guillem@debian.org>
Date: Tue, 30 Apr 2019 00:46:08 +0200
Message-id: <[🔎] 20190429224608.GA9947@thunder.hadrons.org>
Mail-followup-to: debian-devel@lists.debian.org

Hi!

Some days ago I noticed that uscan is generating bogus upstream tarball
signature files when converting them from the ones fetched from upstream.
There are several problems, but the main ones are that it will rearmor
some of the ASCII armored signatures based on the extension, and that
it will not properly convert the trailing OpenPGP Armor Header Line.

This is now fixed in a proposed MR:

  <https://salsa.debian.org/debian/devscripts/merge_requests/120>

But the archive contains multiple instances of this. :`( I've checked
all of unstable and these are the current numbers:

  ,--- fetch-asc ---
  #!/bin/sh
  suite="$1"

  /usr/lib/apt/apt-helper cat-file \
    $(apt-get indextargets --format '$(FILENAME)' 'Identifier: Sources') | \
    grep '\.asc$' | \
    cut -d\  -f4 | \
    cut -d_ -f1 | \
    uniq | \
    xargs -n10 apt-get source -t "$suite" --print-uris | \
    sed -rne "s/^'([^']+)'.*$/\1/p" | \
    grep '\.asc$' | \
    xargs -n10 wget -q -c
  `---

  ,---
  $ fetch-asc unstable

  # Bogus OpenPGP Armor Header Line
  $ grep -l ARMORED *.asc | wc -l
  424

  # Rearmored ASCII signature
  $ grep -l ^LS0tLS1CRUd *.asc | wc -l
  347
  `---

I'm attaching the list of affected source packages for each (skipping
dd-list to avoid size limits).

This is particularly nasty, because fixing this requires to wait for a
new upstream release, or the equivalent of a "tarball" repack, as in,
you'd need to bump the upstream version number so that the fixed .asc
can be modified. The fix would be something like:

  ,--- fix-asc ---
  #!/bin/sh
  asc=$1

  if grep -q ^LS0tLS1CRUd "$asc"; then
    gpg --dearmor <"$asc" | sponge "$asc"
  fi

  sed -e 's/ARMORED FILE/SIGNATURE/g' \
      -e '/^Version:/d' \
      -e '/^Comment:/d' \
      -i "$asc"
  `---

For dpkg 1.20.x, I'm going to validate all .asc at source build and
extraction time, and barf at build time in case of signature errors
or bogus data. I'll probably add a lax mode that might dearmor the
doubly armored files and emit warnings, but meh. I'll also be filing
some lintian bugs.

And sorry about this, I feel most of the blame is on me for dpkg-source,
as I should *never* *ever* pass w/o exception on the “always validate
everything, otherwise you are guaranteed to get bogus data”. :/

Thanks,
Guillem

akonadi
akonadi-calendar
akonadi-calendar-tools
akonadi-contacts
akonadi-import-wizard
akonadi-mime
akonadi-notes
akonadi-search
akonadiconsole
akregator
analitza
ark
artikulate
aspell-en
attica-kf5
audiocd-kio
autoconf-archive
autorevision
baloo-kf5
baloo-widgets
blogilo
bluedevil
bluez-qt
bomber
bovo
breeze
breeze-gtk
breeze-icons
breeze-plymouth
buildbot
cantor
cervisia
cflow
clazy
corsix-th
cups
datamash
dbuskit
dmidecode
dolphin
dolphin-plugins
dragon
drkonqi
dynare
emms
extra-cmake-modules
ffcall
ffmpegthumbs
filelight
fontypython
frameworkintegration
freetype
gawk-doc
gcompris-qt
gdb
gdbm
geany
global
glpk
gnome-chemistry-utils
gnucobol
gnupg1
gnupg2
gnustep-sqlclient
gnutls28
gpa
granatier
grantlee-editor
groff
guile-lib
gwenview
htmldoc
kaccounts-integration
kaccounts-providers
kactivities-kf5
kactivities-stats
kactivitymanagerd
kaddressbook
kajongg
kalarm
kalarmcal
kalgebra
kalzium
kamera
kanagram
kapidox
kapman
kapptemplate
karchive
kate
katomic
kbackup
kblackbox
kblocks
kblog
kbookmarks
kbounce
kbreakout
kbruch
kcachegrind
kcalc
kcalcore
kcalutils
kcharselect
kcmutils
kcodecs
kcolorchooser
kcompletion
kconfig
kconfigwidgets
kcontacts
kcoreaddons
kcrash
kcron
kdav
kdbusaddons
kde-cli-tools
kde-dev-scripts
kde-dev-utils
kde-gtk-config
kde-spectacle
kdebugsettings
kdeclarative
kdecoration
kded
kdeedu-data
kdegraphics-mobipocket
kdegraphics-thumbnailers
kdelibs4support
kdenetwork-filesharing
kdenlive
kdepim-addons
kdepim-runtime
kdeplasma-addons
kdesdk-kioslaves
kdesdk-thumbnailers
kdesignerplugin
kdesu
kdewebkit
kdf
kdialog
kdiamond
kdnssd-kf5
keditbookmarks
kemoticons
kf5-kdepim-apps-libs
kf5-messagelib
kfilemetadata-kf5
kfind
kfloppy
kfourinline
kgamma5
kgeography
kget
kglobalaccel
kgoldrunner
kgpg
kguiaddons
khangman
khelpcenter
kholidays
khotkeys
khtml
ki18n
kiconthemes
kidentitymanagement
kidletime
kig
kigo
killbots
kimageformats
kimagemapeditor
kimap
kinfocenter
kinit
kio
kio-extras
kirigami2
kiriki
kitemmodels
kitemviews
kiten
kitinerary
kjobwidgets
kjs
kjsembed
kjumpingcube
kldap
kleopatra
klettres
klickety
klines
kmag
kmahjongg
kmail
kmail-account-wizard
kmailtransport
kmbox
kmediaplayer
kmenuedit
kmime
kmines
kmousetool
kmplot
knavalbattle
knetwalk
knewstuff
knights
knotes
knotifications
knotifyconfig
kolf
kollision
kolourpaint
kompare
konqueror
konquest
konsole
kontact
kontactinterface
korganizer
kpackage
kparts
kpat
kpeople
kphotoalbum
kpimtextedit
kpkpass
kplotting
kpty
kqtquickcharts
krdc
kreversi
krfb
kronometer
kross
kruler
krunner
kscreen
kscreenlocker
kservice
kshisen
ksirk
ksmtp
ksnakeduel
kspaceduel
ksquares
ksshaskpass
kstars
ksudoku
ksyntax-highlighting
ksysguard
ksystemlog
kteatime
ktexteditor
ktextwidgets
ktimer
ktouch
ktuberling
kturtle
kubrick
kunitconversion
kwallet-kf5
kwallet-pam
kwalletmanager
kwayland
kwayland-integration
kwidgetsaddons
kwin
kwindowsystem
kwordquiz
kwrited
kxmlgui
kxmlrpcclient
latte-dock
libassuan
libdmx
libgcrypt20
libgpg-error
libinfinity
libinput
libkcddb
libkcompactdisc
libkdegames
libkeduvocdocument
libkf5calendarsupport
libkf5eventviews
libkf5grantleetheme
libkf5gravatar
libkf5incidenceeditor
libkf5kdcraw
libkf5kexiv2
libkf5kgeomap
libkf5kipi
libkf5kmahjongg
libkf5ksieve
libkf5libkdepim
libkf5libkleo
libkf5mailcommon
libkf5mailimporter
libkf5pimcommon
libkf5sane
libkgapi
libkomparediff2
libkscreen
libksysguard
libmicrohttpd
libmpdclient
libnftnl
libprelude
libpreludedb
libsigsegv
libtasn1-6
libtool
libu2f-server
libunistring
libx11
libxss
lokalize
lskat
lyx
mailutils
marble
mbox-importer
memtool
microcom
milou
minuet
modemmanager-qt
mongodb
mpc
mpd
mutt-vc-query
ncmpc
nettle
network-manager-l2tp
networkmanager-qt
octave
okteta
oxygen
oxygen-icons5
p11-kit
palapeli
pam-u2f
paperkey
parley
partitionmanager
phonon
phonon-backend-vlc
picmi
pim-data-exporter
pim-sieve-editor
plasma-browser-integration
plasma-desktop
plasma-discover
plasma-framework
plasma-integration
plasma-nm
plasma-pa
plasma-sdk
plasma-vault
plasma-workspace
plasma-workspace-wallpapers
plymouth-kcm
polkit-kde-agent-1
powerdevil
poxml
prelude-correlator
prelude-lml
prelude-lml-rules
prelude-manager
prewikka
prison-kf5
purpose
qqc2-desktop-style
qtcurve
quodlibet
rancid
ranger
ratpoison
recutils
rhythmbox-plugin-alternative-toolbar
rocs
rolo
schleuder
screen
sddm-kcm
signon-kwallet-extension
solid
sonnet
startpar
step
surfraw
svgpart
swapspace
swayidle
swaylock
sweeper
syndication
systemsettings
sysvinit
threadweaver
twm
ucspi-unix
ulogd2
umbrello
user-manager
wacomtablet
wayland-protocols
wikidiff2
xdg-desktop-portal-kde
xorgproto
xserver-xorg-input-evdev
xserver-xorg-input-mouse
xserver-xorg-input-synaptics
xserver-xorg-video-amdgpu
xserver-xorg-video-fbdev
xserver-xorg-video-nouveau
xserver-xorg-video-vmware
xz-utils
youtube-dl
zile

akonadi
akonadi-calendar
akonadi-calendar-tools
akonadi-contacts
akonadi-import-wizard
akonadi-mime
akonadi-notes
akonadi-search
akonadiconsole
akregator
analitza
ark
artikulate
attica-kf5
audiocd-kio
autoconf-archive
autorevision
baloo-kf5
baloo-widgets
blogilo
bluedevil
bluez-qt
bomber
bovo
breeze
breeze-gtk
breeze-icons
breeze-plymouth
cantor
cervisia
cflow
clazy
datamash
dolphin
dolphin-plugins
dragon
drkonqi
extra-cmake-modules
ffcall
ffmpegthumbs
filelight
frameworkintegration
freetype
gawk-doc
gdbm
granatier
grantlee-editor
groff
gwenview
kaccounts-integration
kaccounts-providers
kactivities-kf5
kactivities-stats
kactivitymanagerd
kaddressbook
kajongg
kalarm
kalarmcal
kalgebra
kalzium
kamera
kanagram
kapidox
kapman
kapptemplate
karchive
kate
katomic
kbackup
kblackbox
kblocks
kblog
kbookmarks
kbounce
kbreakout
kbruch
kcachegrind
kcalc
kcalcore
kcalutils
kcharselect
kcmutils
kcodecs
kcolorchooser
kcompletion
kconfig
kconfigwidgets
kcontacts
kcoreaddons
kcrash
kcron
kdav
kdbusaddons
kde-cli-tools
kde-dev-scripts
kde-dev-utils
kde-gtk-config
kde-spectacle
kdebugsettings
kdeclarative
kdecoration
kded
kdeedu-data
kdegraphics-mobipocket
kdegraphics-thumbnailers
kdelibs4support
kdenetwork-filesharing
kdenlive
kdepim-addons
kdepim-runtime
kdeplasma-addons
kdesdk-kioslaves
kdesdk-thumbnailers
kdesignerplugin
kdesu
kdewebkit
kdf
kdialog
kdiamond
kdnssd-kf5
keditbookmarks
kemoticons
kf5-kdepim-apps-libs
kf5-messagelib
kfilemetadata-kf5
kfind
kfloppy
kfourinline
kgamma5
kgeography
kget
kglobalaccel
kgoldrunner
kgpg
kguiaddons
khangman
khelpcenter
kholidays
khotkeys
khtml
ki18n
kiconthemes
kidentitymanagement
kidletime
kig
kigo
killbots
kimageformats
kimagemapeditor
kimap
kinfocenter
kinit
kio
kio-extras
kirigami2
kiriki
kitemmodels
kitemviews
kiten
kitinerary
kjobwidgets
kjs
kjsembed
kjumpingcube
kldap
kleopatra
klettres
klickety
klines
kmag
kmahjongg
kmail
kmail-account-wizard
kmailtransport
kmbox
kmediaplayer
kmenuedit
kmime
kmines
kmousetool
kmplot
knavalbattle
knetwalk
knewstuff
knights
knotes
knotifications
knotifyconfig
kolf
kollision
kolourpaint
kompare
konqueror
konquest
konsole
kontact
kontactinterface
korganizer
kpackage
kparts
kpat
kpeople
kphotoalbum
kpimtextedit
kpkpass
kplotting
kpty
kqtquickcharts
krdc
kreversi
krfb
kronometer
kross
kruler
krunner
kscreen
kscreenlocker
kservice
kshisen
ksirk
ksmtp
ksnakeduel
kspaceduel
ksquares
ksshaskpass
kstars
ksudoku
ksyntax-highlighting
ksysguard
ksystemlog
kteatime
ktexteditor
ktextwidgets
ktimer
ktouch
ktuberling
kturtle
kubrick
kunitconversion
kwallet-kf5
kwallet-pam
kwalletmanager
kwayland
kwayland-integration
kwidgetsaddons
kwin
kwindowsystem
kwordquiz
kwrited
kxmlgui
kxmlrpcclient
latte-dock
libkcddb
libkcompactdisc
libkdegames
libkeduvocdocument
libkf5calendarsupport
libkf5eventviews
libkf5grantleetheme
libkf5gravatar
libkf5incidenceeditor
libkf5kdcraw
libkf5kexiv2
libkf5kgeomap
libkf5kipi
libkf5kmahjongg
libkf5ksieve
libkf5libkdepim
libkf5libkleo
libkf5mailcommon
libkf5mailimporter
libkf5pimcommon
libkf5sane
libkgapi
libkomparediff2
libkscreen
libksysguard
libsigsegv
libtasn1-6
libtool
libunistring
lokalize
lskat
mailutils
marble
mbox-importer
milou
minuet
modemmanager-qt
mongodb
mutt-vc-query
network-manager-l2tp
networkmanager-qt
okteta
oxygen
oxygen-icons5
palapeli
parley
partitionmanager
phonon
phonon-backend-vlc
picmi
pim-data-exporter
pim-sieve-editor
plasma-browser-integration
plasma-desktop
plasma-discover
plasma-framework
plasma-integration
plasma-nm
plasma-pa
plasma-sdk
plasma-vault
plasma-workspace
plasma-workspace-wallpapers
plymouth-kcm
polkit-kde-agent-1
powerdevil
poxml
prison-kf5
purpose
qqc2-desktop-style
qtcurve
rhythmbox-plugin-alternative-toolbar
rocs
rolo
sddm-kcm
signon-kwallet-extension
solid
sonnet
startpar
step
surfraw
svgpart
sweeper
syndication
systemsettings
sysvinit
threadweaver
ucspi-unix
umbrello
user-manager
wacomtablet
xdg-desktop-portal-kde
zile

Reply to:

Prev by Date: Re: Preferred git branch structure when upstream moves from tarballs to git
Next by Date: Re: Preferred git branch structure when upstream moves from tarballs to git
Previous by thread: Bug#928203: ITP: golang-github-armon-go-proxyproto -- Golang package to handle HAProxy Proxy Protocol
Next by thread: Bug#928217: ITP: aobook -- Aozora Bunko (青空文庫) viewer
Index(es):
- Date
- Thread