Bug#711553: [lintian] Patch
Package: lintian
Version: 2.5.14
control: tags -1 + patch
patch here.
From 24affd937e2f086d0c00f92e8db8cc9af8627c8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Mon, 26 Aug 2013 17:25:23 +0200
Subject: [PATCH 1/2] Add pedantic tag for uscan pgp verification
Add a pedantic check that warn about the lack of pgp verification.
---
checks/watch-file.desc | 22 ++++++++++++++++
checks/watch-file.pm | 32 +++++++++++++-----------
t/tests/watch-file-general/debian/debian/watch | 3 +++
t/tests/watch-file-general/desc | 3 +++
t/tests/watch-file-general/tags | 1 +
5 files changed, 46 insertions(+), 15 deletions(-)
diff --git a/checks/watch-file.desc b/checks/watch-file.desc
index f35ce8c..998ee8d 100644
--- a/checks/watch-file.desc
+++ b/checks/watch-file.desc
@@ -138,6 +138,28 @@ Info: The watch file specifies an upstream version number which matches
upstream version. Otherwise, DEHS and similar projects will think the
package is out of date even when it may not be.
+Tag: debian-watch-may-check-gpg-signature
+Severity: pedantic
+Certainty: wild-guess
+Ref: uscan(1)
+Info: This watch file does not include a means to verify the
+ the upstream tar using crytpographic signature.
+ .
+ if upstream distributions provide such signatures please
+ use the pgpsigurlmangle options in this watch file
+ opts= to generate the upstream URL of an GPG signature.
+ This signature is automatically downloaded and verified
+ against a keyring stored in debian/upstream-signing-key.pgp
+ .
+ Of course, not all upstream distributions provide such
+ signatures but you could try to request such signatures
+ from upstream and thus verifying that not a third party
+ modified the code after the release against the will
+ of upstream. We all know the phpmyadmin, unrealircd
+ or proftpd security bugs (only to mention some of
+ them). This would at least make it a lot harder for an attacker to get
+ such code to a wider audience through distributions like Debian.
+
Tag: debian-watch-contains-dh_make-template
Severity: wishlist
Certainty: certain
diff --git a/checks/watch-file.pm b/checks/watch-file.pm
index 4e4ae98..6a1560e 100644
--- a/checks/watch-file.pm
+++ b/checks/watch-file.pm
@@ -31,6 +31,7 @@ use Lintian::Util qw(is_ancestor_of);
sub run {
my (undef, undef, $info) = @_;
my $template = 0;
+ my $withgpgverification = 0;
my $wfile = $info->debfiles('watch');
if (-l $wfile) {
@@ -104,21 +105,21 @@ sub run {
|| s/^opt(?:ion)?s=(\S+)\s+//) {
$opts = $1;
@opts = split(',', $opts);
- if (defined $repack or defined $prerelease) {
- for (@opts) {
- $repack_mangle = 1
- if defined $repack
- and /^[ud]?versionmangle\s*=.*$repack/;
- $repack_dmangle = 1
- if defined $repack
- and /^dversionmangle\s*=.*$repack/;
- $prerelease_mangle = 1
- if defined $prerelease
- and /^[ud]?versionmangle\s*=.*$prerelease/;
- $prerelease_umangle = 1
- if defined $prerelease
- and /^uversionmangle\s*=.*$prerelease/;
- }
+ for (@opts) {
+ $repack_mangle = 1
+ if defined $repack
+ and /^[ud]?versionmangle\s*=.*$repack/;
+ $repack_dmangle = 1
+ if defined $repack
+ and /^dversionmangle\s*=.*$repack/;
+ $prerelease_mangle = 1
+ if defined $prerelease
+ and /^[ud]?versionmangle\s*=.*$prerelease/;
+ $prerelease_umangle = 1
+ if defined $prerelease
+ and /^uversionmangle\s*=.*$prerelease/;
+ $withgpgverification = 1
+ if /^pgpsigurlmangle\s*=\s*/;
}
}
if (m%qa\.debian\.org/watch/sf\.php\?%) {
@@ -178,6 +179,7 @@ sub run {
close($fd);
tag 'debian-watch-contains-dh_make-template' if ($template);
+ tag 'debian-watch-may-check-gpg-signature' unless ($withgpgverification);
my $changes = $info->changelog;
if (defined $changes and %dversions) {
diff --git a/t/tests/watch-file-general/debian/debian/watch b/t/tests/watch-file-general/debian/debian/watch
index a39a05b..260fa39 100644
--- a/t/tests/watch-file-general/debian/debian/watch
+++ b/t/tests/watch-file-general/debian/debian/watch
@@ -19,3 +19,6 @@ version=42
# Specifies the same version number as the package.
http://example.com/ foo([\d.]+)\.tar\.gz 2.0.ds1-1 uupdate
+
+
+# without any pgpsigurlmangle
\ No newline at end of file
diff --git a/t/tests/watch-file-general/desc b/t/tests/watch-file-general/desc
index 861fffb..bcb8112 100644
--- a/t/tests/watch-file-general/desc
+++ b/t/tests/watch-file-general/desc
@@ -3,8 +3,11 @@ Sequence: 6000
Type: non-native
Version: 2.0.ds1-1
Description: General watch file checks
+Options: -I -E --pedantic
+Skeleton: pedantic
Test-For:
debian-watch-file-declares-multiple-versions
+ debian-watch-may-check-gpg-signature
debian-watch-file-should-dversionmangle-not-uversionmangle
debian-watch-file-should-mangle-version
debian-watch-file-should-use-sf-redirector
diff --git a/t/tests/watch-file-general/tags b/t/tests/watch-file-general/tags
index d3afe11..de38a58 100644
--- a/t/tests/watch-file-general/tags
+++ b/t/tests/watch-file-general/tags
@@ -1,4 +1,5 @@
I: watch-file-general source: debian-watch-file-should-dversionmangle-not-uversionmangle line 5
+P: watch-file-general source: debian-watch-may-check-gpg-signature
W: watch-file-general source: debian-watch-file-declares-multiple-versions line 18
W: watch-file-general source: debian-watch-file-declares-multiple-versions line 7
W: watch-file-general source: debian-watch-file-should-mangle-version line 12
--
1.7.10.4
From 294cbf44cbb17b33786a5f4cf96f4387ebb31b67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Mon, 26 Aug 2013 18:33:53 +0200
Subject: [PATCH 2/2] Add check of existance of
debian/upstream-signing-key.pgp in case of uscan
cryptographic signature
Uscan could check signature only if we carry the public key. Check it.
---
checks/watch-file.desc | 9 +++++++++
checks/watch-file.pm | 7 +++++++
t/tests/watch-file-pubkey-missing/debian/README | 1 +
t/tests/watch-file-pubkey-missing/debian/debian/watch | 3 +++
t/tests/watch-file-pubkey-missing/desc | 6 ++++++
t/tests/watch-file-pubkey-missing/tags | 1 +
t/tests/watch-file-pubkey-missing/upstream/README | 1 +
7 files changed, 28 insertions(+)
create mode 100644 t/tests/watch-file-pubkey-missing/debian/README
create mode 100644 t/tests/watch-file-pubkey-missing/debian/debian/watch
create mode 100644 t/tests/watch-file-pubkey-missing/desc
create mode 100644 t/tests/watch-file-pubkey-missing/tags
create mode 100644 t/tests/watch-file-pubkey-missing/upstream/README
diff --git a/checks/watch-file.desc b/checks/watch-file.desc
index 998ee8d..d09cf99 100644
--- a/checks/watch-file.desc
+++ b/checks/watch-file.desc
@@ -160,6 +160,15 @@ Info: This watch file does not include a means to verify the
them). This would at least make it a lot harder for an attacker to get
such code to a wider audience through distributions like Debian.
+Tag: debian-watch-file-pubkey-file-is-missing
+Severity: important
+Certainty: certain
+Ref: uscan(1)
+Info: This watch file verify cryptographic signature but
+ the upstream public key is missing.
+ .
+ Please add upstream public keys in debian/upstream-signing-key.pgp.
+
Tag: debian-watch-contains-dh_make-template
Severity: wishlist
Certainty: certain
diff --git a/checks/watch-file.pm b/checks/watch-file.pm
index 6a1560e..2ab58aa 100644
--- a/checks/watch-file.pm
+++ b/checks/watch-file.pm
@@ -181,6 +181,13 @@ sub run {
tag 'debian-watch-contains-dh_make-template' if ($template);
tag 'debian-watch-may-check-gpg-signature' unless ($withgpgverification);
+ if ($withgpgverification) {
+ my $pgpfile = $info->debfiles('upstream-signing-key.pgp');
+ if (!-f $pgpfile) {
+ tag 'debian-watch-file-pubkey-file-is-missing';
+ }
+ }
+
my $changes = $info->changelog;
if (defined $changes and %dversions) {
my $data = $changes->data;
diff --git a/t/tests/watch-file-pubkey-missing/debian/README b/t/tests/watch-file-pubkey-missing/debian/README
new file mode 100644
index 0000000..e845566
--- /dev/null
+++ b/t/tests/watch-file-pubkey-missing/debian/README
@@ -0,0 +1 @@
+README
diff --git a/t/tests/watch-file-pubkey-missing/debian/debian/watch b/t/tests/watch-file-pubkey-missing/debian/debian/watch
new file mode 100644
index 0000000..7ac78bc
--- /dev/null
+++ b/t/tests/watch-file-pubkey-missing/debian/debian/watch
@@ -0,0 +1,3 @@
+version=3
+opts="uversionmangle=s/-/./,dversionmangle=s/\.dfsg\d+$//,pgpsigurlmangle=s/$/.asc/" \
+ftp://ftp.imagemagick.org/pub/ImageMagick/ ImageMagick-(.*)\.tar\.xz
diff --git a/t/tests/watch-file-pubkey-missing/desc b/t/tests/watch-file-pubkey-missing/desc
new file mode 100644
index 0000000..02bf7aa
--- /dev/null
+++ b/t/tests/watch-file-pubkey-missing/desc
@@ -0,0 +1,6 @@
+Testname: watch-file-pubkey-missing
+Sequence: 6000
+Type: non-native
+Version: 1+dfsg-1
+Description: Watch file if verify signature should check debian/upstream-signing-key.pgp
+Test-For: debian-watch-file-pubkey-file-is-missing
diff --git a/t/tests/watch-file-pubkey-missing/tags b/t/tests/watch-file-pubkey-missing/tags
new file mode 100644
index 0000000..c3b1f0d
--- /dev/null
+++ b/t/tests/watch-file-pubkey-missing/tags
@@ -0,0 +1 @@
+E: watch-file-pubkey-missing source: debian-watch-file-pubkey-file-is-missing
diff --git a/t/tests/watch-file-pubkey-missing/upstream/README b/t/tests/watch-file-pubkey-missing/upstream/README
new file mode 100644
index 0000000..e845566
--- /dev/null
+++ b/t/tests/watch-file-pubkey-missing/upstream/README
@@ -0,0 +1 @@
+README
--
1.7.10.4
Reply to: