Bug#824916: lintian: Check for weak signatures in source packages

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 824916@bugs.debian.org
Subject: Bug#824916: lintian: Check for weak signatures in source packages
From: Axel Beckert <abe@debian.org>
Date: Fri, 27 May 2016 22:13:53 +0200
Message-id: <[🔎] 20160527201353.GF5029@sym.noone.org>
Reply-to: Axel Beckert <abe@debian.org>, 824916@bugs.debian.org
In-reply-to: <[🔎] 87d1o7jslr.fsf@alice.fifthhorseman.net>
References: <[🔎] 87y473okk4.fsf@c-cactus.ontheroad.deuxchevaux.org> <[🔎] 87d1o7jslr.fsf@alice.fifthhorseman.net>

Control: retitle -1 lintian: Check for weak digest algorithms in source packages

Hi Daniel,

thanks for your comments.

Daniel Kahn Gillmor wrote:
> On Sat 2016-05-21 04:57:15 -0400, Axel Beckert wrote:
> > during the (ongoing) Debian Perl Team Sprint, one of the discussed
> > topics was dpkg-source now issuing warnings about weak signatures when
> > extracting source packages. (For some time, in versions1.18.5 and
> > 1.18.6, it even bailed out, failing to extract source packages as they
> > are currently in Sid -- which is the reason why the default was reverted
> > and it only prints a warning since 1.18.7.) Some more context is in
> > https://bugs.debian.org/823428
> 
> fwiw, the lintian check you propose is actually a check for a weak
> digest algorithm in the manifest that a .dsc or .changes file
> represents.

Correct. But the currently implemented variant only checks .dsc files.
I wonder if it makes sense to broaden that check to also check
.changes files:

* AFAIK the archive does not contain/archive .changes files, i.e. the
  check will not trigger for the archive wide tests as published on
  lintian.debian.org.
* Current dpkg-genchanges versions don't generate changes files
  without strong digest algorithms.

So this would only make sense, if

* Someone uses a current lintian version with an ancient dpkg-dev
  version. Why should someone? And if so, he can't fix it except by
  using a more modern dpkg-dev version.
* Someone tests the result of an alternative dpkg(-dev) implementation
  by checking the results with lintian. AFAIK no such implementation
  exists.
* Someone uploads a package built with an ancient dpkg-dev version to
  ftp.debian.org and there is not yet a check for weak digest at that
  point.

> It does *not* cover any test for a weak signature (so the
> subject line of this bug report is a little off.

Fixed. But that misleading Subject does exist for a reason. See below.

> I'd name the message no-strong-digests-in-dsc, rather than
> no-strong-checksums-in-dsc, but i'd be fine with it as it stands.

We still have the chance to do that as no lintian version has been
released since I initially committed the code. So I changed and pushed
it.

> fwiw, a signed .dsc file itself might also use a weak digest algorithm
> in its signature itself.

Correct. About the first two hours working on an implementation for
that check I actually tried to check that -- until I realised that
it's nearly impossible to get that information out of GnuPG, not to
speak about the three Perl interfaces to GnuPG I looked at.

Only then I realised that the proposer(s) meant something different.
That's probably why the Subject was misleading initially -- I was
misled, too. :-)

> I'd love to see an additional check for that, but i guess that's a
> separate question.

And it probably would be a performance penalty, because Lintian
currently passes options to dpkg-source to bypass all (GnuPG)
signature checks. Checking them will cost quite some more time. This
might not be so much of an issue when checking single packages, but it
will be an issue when rechecking all packages in the archive on
lintian.debian.org.

Additionally, Lintian would also need a keyring with all the relevant
keys -- especially for source packages in the archive, as they may be
signed with no more valid keys or keys removed from the keyring.

> > An affected example source package is libclass-default-perl_1.51-2.dsc
> > from the archive: last uploaded in 2008.

Actually, this example package is a very good example, because it
represents both issues mentioned above:

* It's signed with a 1024 bits key no more in the keyring.
* The key has been revoked because it was considered compromised.

> It would be a very good thing indeed, thanks for suggesting it.

IIRC the credit for the idea go to Niko Tyni. :-)

> > Following is my patch so far (without the test case). I'm not sure if
> > the severity "serious" is the proper value, so please feel free to
> > comment on that.
> 
> I agree that it is "serious".  This is 2016, we should be requiring
> strong digests.

Good. Let's leave it that way. :-)

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Reply to:

References:
- Bug#824916: lintian: Check for weak signatures in source packages
  - From: Axel Beckert <abe@debian.org>
- Bug#824916: lintian: Check for weak signatures in source packages
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Prev by Date: Processed: Re: Bug#824916: lintian: Check for weak signatures in source packages
Next by Date: Jenkins build is back to normal : lintian-tests_sid #1142
Previous by thread: Bug#824916: lintian: Check for weak signatures in source packages
Next by thread: Processed: Re: Bug#824916: lintian: Check for weak signatures in source packages
Index(es):
- Date
- Thread