[lintian] 01/01: New check for weak checksums in .dsc (Closes: #824916)

To: debian-lint-maint@lists.debian.org
Subject: [lintian] 01/01: New check for weak checksums in .dsc (Closes: #824916)
From: Axel Beckert <abe@deuxchevaux.org>
Date: Sat, 21 May 2016 09:04:36 +0000
Message-id: <[🔎] E1b42pn-0004Tk-Vv@moszumanska.debian.org>
Reply-to: Axel Beckert <abe@deuxchevaux.org>
In-reply-to: <[🔎] 20160521090430.17039.251@moszumanska.debian.org>
References: <[🔎] 20160521090430.17039.251@moszumanska.debian.org>

This is an automated email from the git hooks/post-receive script.

abe pushed a commit to branch master
in repository lintian.

commit 6fb8804acd4c188008c14f1ec0ead4748a344c4f
Author: Axel Beckert <abe@deuxchevaux.org>
Date:   Sat May 21 11:03:39 2016 +0200

    New check for weak checksums in .dsc (Closes: #824916)
---
 checks/fields.desc                    | 15 +++++++++++++++
 checks/fields.pm                      |  8 ++++++++
 debian/changelog                      |  2 ++
 t/source/no-sha256-checksum/Makefile  | 14 ++++++++++++++
 t/source/no-sha256-checksum/desc      |  4 ++++
 t/source/no-sha256-checksum/dsc.in.in | 12 ++++++++++++
 t/source/no-sha256-checksum/tags      |  1 +
 7 files changed, 56 insertions(+)

diff --git a/checks/fields.desc b/checks/fields.desc
index 22b426c..1168a8d 100644
--- a/checks/fields.desc
+++ b/checks/fields.desc
@@ -1276,3 +1276,18 @@ Info: No package should (build-) depend on 'perl-modules'. Instead, a
  suitable dependency on 'perl' should be used. The existence of the
  perl-modules package is an implementation detail of the perl
  packaging.
+
+Tag: no-strong-checksums-in-dsc
+Severity: serious
+Certainty: certain
+Info: This .dsc file contains no Checksum-Sha256 field and hence only
+ weak checksums.
+ .
+ This issue will only show up for source packages built with
+ dpkg-source before 1.14.17 (March 2008) and hence will probably never
+ show up when you run lintian locally but only on
+ https://lintian.debian.org/ for source packages in the archive.
+ .
+ Accordingly it can be fixed by simply rebuilding the source package
+ with a more recent dpkg-source version, i.e. by uploading a new
+ debian release of the package.
diff --git a/checks/fields.pm b/checks/fields.pm
index 1f59652..732be43 100644
--- a/checks/fields.pm
+++ b/checks/fields.pm
@@ -1309,6 +1309,14 @@ sub run {
         }
     }
 
+    #---- Checksums
+
+    if ($type eq 'source') {
+        if (!$info->field('checksums-sha256')) {
+            tag 'no-strong-checksums-in-dsc';
+        }
+    }
+
     #----- Field checks (without checking the value)
 
     for my $field (keys %{$info->field}) {
diff --git a/debian/changelog b/debian/changelog
index 468e06a..5771011 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,8 @@ lintian (2.5.45) UNRELEASED; urgency=medium
       /usr/share/cdbs/1/rules/debhelper.mk.
   * checks/fields.{desc,pm}:
     + [JW] Fix typos.
+    + [AB] Add new check for weak checksums in source packages:
+      new tag no-strong-checksums-in-dsc (Closes: #824916)
   * checks/files.desc:
     + [BR] Do not suggest unsupported Multi-arch: no.
       (Closes: #816455)
diff --git a/t/source/no-sha256-checksum/Makefile b/t/source/no-sha256-checksum/Makefile
new file mode 100644
index 0000000..4e6543b
--- /dev/null
+++ b/t/source/no-sha256-checksum/Makefile
@@ -0,0 +1,14 @@
+name = no-sha256-checksum
+dir  = $(name)-1
+
+all:
+	mkdir -p $(dir)/debian/source
+	cp changelog copyright control rules $(dir)/debian/
+	echo 9 > $(dir)/debian/compat
+	echo "3.0 (native)" > $(dir)/debian/source/format
+	tar cfz $(name)_1.tar.gz $(dir)
+	subst-dsc $(name)_1.tar.gz < dsc.in > $(name)_1.dsc
+
+clean:
+	rm -rf $(dir)
+	rm -f $(name)_1*
diff --git a/t/source/no-sha256-checksum/desc b/t/source/no-sha256-checksum/desc
new file mode 100644
index 0000000..6e64f22
--- /dev/null
+++ b/t/source/no-sha256-checksum/desc
@@ -0,0 +1,4 @@
+Testname: no-sha256-checksum
+Sequence: 6000
+Version: 1.0
+Description: Test for missing Checksums-Sha256 field
diff --git a/t/source/no-sha256-checksum/dsc.in.in b/t/source/no-sha256-checksum/dsc.in.in
new file mode 100644
index 0000000..e169c45
--- /dev/null
+++ b/t/source/no-sha256-checksum/dsc.in.in
@@ -0,0 +1,12 @@
+Format: 1.0
+Source: no-sha256-checksum
+Binary: no-sha256-checksum
+Architecture: all
+Version: 1
+Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
+Standards-Version: {$standards_version}
+Build-Depends: debhelper (>= 9)
+Checksums-Sha1:
+ @SHA1@ @SIZE@ no-sha256-checksum_1.tar.gz
+Files:
+ @MD5@ @SIZE@ no-sha256-checksum_1.tar.gz
diff --git a/t/source/no-sha256-checksum/tags b/t/source/no-sha256-checksum/tags
new file mode 100644
index 0000000..84ad849
--- /dev/null
+++ b/t/source/no-sha256-checksum/tags
@@ -0,0 +1 @@
+E: no-sha256-checksum source: no-strong-checksums-in-dsc

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git

Reply to:

References:
- [lintian] branch master updated (393651c -> 6fb8804)
  - From: Axel Beckert <abe@deuxchevaux.org>

Prev by Date: Processed: lintian: Check for weak signatures in source packages
Next by Date: [lintian] branch master updated (393651c -> 6fb8804)
Previous by thread: [lintian] branch master updated (393651c -> 6fb8804)
Next by thread: Processed: owner 823437
Index(es):
- Date
- Thread