[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#824916: lintian: Check for weak signatures in source packages

Package: lintian
Version: 2.5.44
Severity: wishlist
Tags: patch
User: debian-perl@lists.debian.org
Usertags: zrh2016
Control: owner -1 !

Hi,

during the (ongoing) Debian Perl Team Sprint, one of the discussed
topics was dpkg-source now issuing warnings about weak signatures when
extracting source packages. (For some time, in versions1.18.5 and
1.18.6, it even bailed out, failing to extract source packages as they
are currently in Sid -- which is the reason why the default was reverted
and it only prints a warning since 1.18.7.) Some more context is in
https://bugs.debian.org/823428

An affected example source package is libclass-default-perl_1.51-2.dsc
from the archive: last uploaded in 2008.

We wondered if it would be helpful to have a Lintian tag for that:

* It would give a nice statistic over the archive, which packages are
  affected like some recently introduced (or at least discussed)
  categorizing tags.

* The according tag will likely never be emitted while
  building/developing a package as this won't be triggered by packages
  build with more recent dpkg-source versions. So it will _only_ show up
  on https://lintian.debian.org/ for source packages not uploaded for
  years, because they automatically be fixed when uploading a new
  package.

Especially the latter may confuse people because they won't be able to
rpeproduce the warning locally if they rebuild or work on the package.

Still, it would be a nice way to get a list of these pacakges.

Following is my patch so far (without the test case). I'm not sure if
the severity "serious" is the proper value, so please feel free to
comment on that.

diff --git a/checks/fields.desc b/checks/fields.desc
index 22b426c..1168a8d 100644
--- a/checks/fields.desc
+++ b/checks/fields.desc
@@ -1276,3 +1276,18 @@ Info: No package should (build-) depend on 'perl-modules'. Instead, a
  suitable dependency on 'perl' should be used. The existence of the
  perl-modules package is an implementation detail of the perl
  packaging.
+
+Tag: no-strong-checksums-in-dsc
+Severity: serious
+Certainty: certain
+Info: This .dsc file contains no Checksum-Sha256 field and hence only
+ weak checksums.
+ .
+ This issue will only show up for source packages built with
+ dpkg-source before 1.14.17 (March 2008) and hence will probably never
+ show up when you run lintian locally but only on
+ https://lintian.debian.org/ for source packages in the archive.
+ .
+ Accordingly it can be fixed by simply rebuilding the source package
+ with a more recent dpkg-source version, i.e. by uploading a new
+ debian release of the package.
diff --git a/checks/fields.pm b/checks/fields.pm
index 1f59652..732be43 100644
--- a/checks/fields.pm
+++ b/checks/fields.pm
@@ -1309,6 +1309,14 @@ sub run {
         }
     }
 
+    #---- Checksums
+
+    if ($type eq 'source') {
+        if (!$info->field('checksums-sha256')) {
+            tag 'no-strong-checksums-in-dsc';
+        }
+    }
+
     #----- Field checks (without checking the value)
 
     for my $field (keys %{$info->field}) {

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (980, 'unstable-debug'), (600, 'testing'), (111, 'buildd-unstable'), (111, 'buildd-experimental'), (110, 'experimental'), (105, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lintian depends on:
ii  binutils                          2.26-9
ii  bzip2                             1.0.6-8
ii  diffstat                          1.61-1
ii  file                              1:5.25-2
ii  gettext                           0.19.7-2
ii  hardening-includes                2.8+nmu2
ii  intltool-debian                   0.35.0+20060710.4
ii  libapt-pkg-perl                   0.1.29+b5
ii  libarchive-zip-perl               1.57-1
ii  libclass-accessor-perl            0.34-1
ii  libclone-perl                     0.38-1+b1
ii  libdata-alias-perl                1.20-1+b1
ii  libdigest-sha-perl                5.95-2+b1
ii  libdpkg-perl                      1.18.7
ii  libemail-valid-perl               1.198-1
ii  libfile-basedir-perl              0.07-1
ii  libipc-run-perl                   0.94-1
ii  liblist-moreutils-perl            0.413-1+b1
ii  libparse-debianchangelog-perl     1.2.0-8
ii  libperl5.22 [libdigest-sha-perl]  5.22.2-1
ii  libtext-levenshtein-perl          0.13-1
ii  libtimedate-perl                  2.3000-2
ii  liburi-perl                       1.71-1
ii  libyaml-libyaml-perl              0.41-6+b1
ii  man-db                            2.7.5-1
ii  patchutils                        0.3.4-1
ii  perl                              5.22.2-1
ii  t1utils                           1.39-2
ii  xz-utils                          5.1.1alpha+20120614-2.1

Versions of packages lintian recommends:
ii  dpkg                                 1.18.7
ii  libautodie-perl                      2.29-2
ii  libperlio-gzip-perl                  0.19-1+b1
ii  perl                                 5.22.2-1
ii  perl-modules-5.22 [libautodie-perl]  5.22.2-1

Versions of packages lintian suggests:
ii  binutils-multiarch     2.26-9
ii  dpkg-dev               1.18.7
ii  libhtml-parser-perl    3.72-1
ii  libtext-template-perl  1.46-1

-- no debconf information
Reply to: