Bug#824916: lintian: Check for weak signatures in source packages

To: Axel Beckert <abe@debian.org>, 824916@bugs.debian.org, Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#824916: lintian: Check for weak signatures in source packages
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Fri, 27 May 2016 13:52:48 -0400
Message-id: <[🔎] 87d1o7jslr.fsf@alice.fifthhorseman.net>
Reply-to: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 824916@bugs.debian.org
In-reply-to: <[🔎] 87y473okk4.fsf@c-cactus.ontheroad.deuxchevaux.org>
References: <[🔎] 87y473okk4.fsf@c-cactus.ontheroad.deuxchevaux.org>

On Sat 2016-05-21 04:57:15 -0400, Axel Beckert wrote:
> during the (ongoing) Debian Perl Team Sprint, one of the discussed
> topics was dpkg-source now issuing warnings about weak signatures when
> extracting source packages. (For some time, in versions1.18.5 and
> 1.18.6, it even bailed out, failing to extract source packages as they
> are currently in Sid -- which is the reason why the default was reverted
> and it only prints a warning since 1.18.7.) Some more context is in
> https://bugs.debian.org/823428

fwiw, the lintian check you propose is actually a check for a weak
digest algorithm in the manifest that a .dsc or .changes file
represents.  It does *not* cover any test for a weak signature (so the
subject line of this bug report is a little off.

I'd name the message no-strong-digests-in-dsc, rather than
no-strong-checksums-in-dsc, but i'd be fine with it as it stands.

fwiw, a signed .dsc file itself might also use a weak digest algorithm
in its signature itself.  I'd love to see an additional check for that,
but i guess that's a separate question.

> An affected example source package is libclass-default-perl_1.51-2.dsc
> from the archive: last uploaded in 2008.
>
> We wondered if it would be helpful to have a Lintian tag for that:
>
> * It would give a nice statistic over the archive, which packages are
>   affected like some recently introduced (or at least discussed)
>   categorizing tags.
>
> * The according tag will likely never be emitted while
>   building/developing a package as this won't be triggered by packages
>   build with more recent dpkg-source versions. So it will _only_ show up
>   on https://lintian.debian.org/ for source packages not uploaded for
>   years, because they automatically be fixed when uploading a new
>   package.
>
> Especially the latter may confuse people because they won't be able to
> rpeproduce the warning locally if they rebuild or work on the package.
>
> Still, it would be a nice way to get a list of these pacakges.

It would be a very good thing indeed, thanks for suggesting it.

> Following is my patch so far (without the test case). I'm not sure if
> the severity "serious" is the proper value, so please feel free to
> comment on that.

I agree that it is "serious".  This is 2016, we should be requiring
strong digests.

         --dkg

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#824916: lintian: Check for weak signatures in source packages
  - From: Axel Beckert <abe@debian.org>

References:
- Bug#824916: lintian: Check for weak signatures in source packages
  - From: Axel Beckert <abe@debian.org>

Prev by Date: Bug#822504: lintian: false positive spelling-error-in-copyright (duplicate word) involving names and field labels
Next by Date: [lintian] 01/01: Rename (unreleased) tag no-strong-checksums-in-dsc to no-strong-digests-in-dsc
Previous by thread: Processed: lintian: Check for weak signatures in source packages
Next by thread: Bug#824916: lintian: Check for weak signatures in source packages
Index(es):
- Date
- Thread