On Sat 2016-05-21 04:57:15 -0400, Axel Beckert wrote: > during the (ongoing) Debian Perl Team Sprint, one of the discussed > topics was dpkg-source now issuing warnings about weak signatures when > extracting source packages. (For some time, in versions1.18.5 and > 1.18.6, it even bailed out, failing to extract source packages as they > are currently in Sid -- which is the reason why the default was reverted > and it only prints a warning since 1.18.7.) Some more context is in > https://bugs.debian.org/823428 fwiw, the lintian check you propose is actually a check for a weak digest algorithm in the manifest that a .dsc or .changes file represents. It does *not* cover any test for a weak signature (so the subject line of this bug report is a little off. I'd name the message no-strong-digests-in-dsc, rather than no-strong-checksums-in-dsc, but i'd be fine with it as it stands. fwiw, a signed .dsc file itself might also use a weak digest algorithm in its signature itself. I'd love to see an additional check for that, but i guess that's a separate question. > An affected example source package is libclass-default-perl_1.51-2.dsc > from the archive: last uploaded in 2008. > > We wondered if it would be helpful to have a Lintian tag for that: > > * It would give a nice statistic over the archive, which packages are > affected like some recently introduced (or at least discussed) > categorizing tags. > > * The according tag will likely never be emitted while > building/developing a package as this won't be triggered by packages > build with more recent dpkg-source versions. So it will _only_ show up > on https://lintian.debian.org/ for source packages not uploaded for > years, because they automatically be fixed when uploading a new > package. > > Especially the latter may confuse people because they won't be able to > rpeproduce the warning locally if they rebuild or work on the package. > > Still, it would be a nice way to get a list of these pacakges. It would be a very good thing indeed, thanks for suggesting it. > Following is my patch so far (without the test case). I'm not sure if > the severity "serious" is the proper value, so please feel free to > comment on that. I agree that it is "serious". This is 2016, we should be requiring strong digests. --dkg
Attachment:
signature.asc
Description: PGP signature