[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#745563: marked as done (debsig-verify: only handles data.tar.gz member, not xz, bz2 or lzma)



Your message dated Sat, 07 Jun 2014 21:34:48 +0000
with message-id <E1WtOGG-0006zd-DG@franck.debian.org>
and subject line Bug#745563: fixed in debsig-verify 0.9
has caused the Debian Bug report #745563,
regarding debsig-verify: only handles data.tar.gz member, not xz, bz2 or lzma
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
745563: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745563
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: debsig-verify
Version: 0.8
Severity: normal
Tags: patch

debsig-verify only handles a main data archive member of data.tar.gz,
packages can contain bz2, xz or lzma compressed members instead.

Attached is the patch I used to get it to work for me.
diff --exclude TAGS --exclude changelog -ur debsig-verify-0.8.orig/debsig-verify.c debsig-verify-0.8/debsig-verify.c
--- debsig-verify-0.8.orig/debsig-verify.c	2014-04-22 18:25:43.156139964 +0100
+++ debsig-verify-0.8/debsig-verify.c	2014-04-22 18:15:10.605619731 +0100
@@ -38,7 +38,9 @@
 char *deb = NULL;
 FILE *deb_fs = NULL;
 
-char *ver_members[] = { "debian-binary", "control.tar.gz", "data.tar.gz", 0 };
+char *ver_members[] = { "debian-binary", "control.tar.gz", 0 };
+#define DTAR(x) "data.tar." # x
+char *ver_mem_maybe[] = { DTAR(gz), DTAR(xz), DTAR(bz2), DTAR(lzma), 0 };
 
 static char *prog_name = NULL;
 
@@ -97,6 +99,7 @@
     int opt_count = 0, t, i, fd;
     struct match *mtc;
     int len;
+    int data_tar = 0;
 
     /* If we don't have any matches, we fail. We don't want blank,
      * take-all rules. This actually gets checked while we parse the
@@ -127,6 +130,22 @@
 	    len -= t;
 	}
     }
+
+    for (i = 0; ver_mem_maybe[i]; i++) {
+        if (!(len = findMember(ver_mem_maybe[i])))
+            continue;
+        while (len > 0){
+            t = fread(buf, 1, sizeof(buf), deb_fs);
+            fwrite(buf, 1, (t > len) ? len : t, fp);
+            len -= t;
+        }
+        data_tar = 1;
+        break;
+    }
+
+    if(!data_tar)
+        goto fail_and_close;
+
     fclose(fp);
     fd = -1;
 
@@ -209,14 +228,23 @@
 
 static int checkIsDeb(void) {
     int i;
-    if (!findMember("debian-binary"))
-        return 0;
+    const char *mem;
 
-    for (i = 0; ver_members[i]; i++)
-        if (!findMember(ver_members[i]))
-	    return 0;
+    for (i = 0; mem = ver_members[i]; i++)
+        if (!findMember(mem)) {
+            ds_printf(DS_LEV_VER, "Missing archive member %s", mem);
+            return 0;
+        }
 
-    return 1;
+    for (i = 0; mem = ver_mem_maybe[i]; i++)
+        if (findMember(mem))
+            return 1;
+
+    ds_printf(DS_LEV_VER, "Missing archive data member, checked:");
+    for (i = 0; mem = ver_mem_maybe[i]; i++)
+        ds_printf(DS_LEV_VER, "    %s", mem);
+
+    return 0;
 }
 
 static void outputVersion(void) {


-- System Information:
Debian Release: 7.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages debsig-verify depends on:
ii  gnupg       1.4.12-7
ii  libc6       2.15-0ubuntu10.33.1
ii  libxmltok1  1.2-3

debsig-verify recommends no packages.

Versions of packages debsig-verify suggests:
ii  debian-keyring  2013.04.21

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: debsig-verify
Source-Version: 0.9

We believe that the bug you reported is fixed in the latest version of
debsig-verify, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 745563@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated debsig-verify package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 06 Jun 2014 13:41:13 +0200
Source: debsig-verify
Binary: debsig-verify
Architecture: source amd64
Version: 0.9
Distribution: unstable
Urgency: low
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description:
 debsig-verify - Debian package signature verification tool
Closes: 540897 745563 748539
Changes:
 debsig-verify (0.9) unstable; urgency=low
 .
   * New maintainer. Closes: #540897
   * Use '' style quoting instead of unpaired `'.
   * Use italics for pathnames and user replacable strings.
   * Add missing space before Build-Depends version.
   * Bump Standard-Version to 3.9.5 (no changed needed).
   * Stop making build-indep depend on build-stamp in debian/rules.
   * Stop using a build-stamp in debian/rules.
   * Add dh_installman and dh_link commands.
   * Mark debsig-verify as Enhances dpkg.
   * Sync Priority with archive override (from standard to optional).
   * Use $(CURDIR) instead of $(shell pwd) in debian/rules.
   * Honour user CPPFLAGS, CFLAGS and LDFLAGS.
   * Set build flags via dpkg-buildflags.
   * Switch debian/copyright to machine-readable format 1.0.
   * Add support for control.tar, control.tar.xz, data.tar, data.tar.xz,
     data.tar.bz2 and data.tar.lzma deb members. Closes: #745563
     Based on a patch by Vivek Das Mohapatra <vivek@etla.org>.
   * Do not unnecessarily link against libxmltok, only libxmlparse.
   * Start using libdpkg instead of duplicating code:
     - Add pkg-config and libdpkg-dev to Build-Depends.
     - Add a Built-Using field for libdpkg-dev static linking.
     - Use libdpkg error handling code.
     - Use libdpkg ar handling. This enables ar large file support (LFS).
   * Check return values from functions marked with warn_unused_result.
   * Fix typos (aswell → as well). Closes: #748539
     Thanks to Tomas Pospisek <tpo_deb@sourcepole.ch>.
   * Add Vcs-Browser and Vcs-Git fields.
   * Switch to source format “3.0 (native)”.
   * Create the debian-keyring.gpg testing symlink in a new check target,
     instead of shipping it in the git repository or the release tarballs.
   * Decapitalize package short description.
Checksums-Sha1:
 d1460061809691c02b47b82a80a0e4bd0d2feeee 1647 debsig-verify_0.9.dsc
 25a362aa8621590387badc8c25ae0d44754f0c90 25788 debsig-verify_0.9.tar.xz
 76c49317571f0a4bc5de31b99c0cc823e53b7f1b 25638 debsig-verify_0.9_amd64.deb
Checksums-Sha256:
 e70ba7a7d14f125f50837e350141fd4458952e66888b354b61909075e3ed02ba 1647 debsig-verify_0.9.dsc
 ec8ec542facd772486fe30dbc176f44db5c2e7b07c05cf4135e3f64eb22953fb 25788 debsig-verify_0.9.tar.xz
 bf799a301752f4c6685364b6972795c2a41adc05bbfa38521213a7c4f2cb401e 25638 debsig-verify_0.9_amd64.deb
Files:
 b35b186b2dd9c5cf87f8e22ea36efdb4 25638 admin optional debsig-verify_0.9_amd64.deb
 b7f23489375ef1224981f596818cec02 1647 admin optional debsig-verify_0.9.dsc
 b41842d5cc3836ee58d653dcdbd2430a 25788 admin optional debsig-verify_0.9.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJTk3XcAAoJELlyvz6krlejZgUP/Ax7yTfp5LDjWERdYlfJfF3e
+lZmfzorTYqOTQuAw3Q0DB0OppMKvPDydcvlF7CohtE8f10S0Ck9TXVtkF8GhHKB
FNjugM69JKwJm5Ei4r4ouHXeXAofen0MRwwggdt4kG2/TXEh0EG7bVC+ByZAQqeM
7cSP+PkK5E5bvrayww/urDbE6EHTp/pC4yprHCUh3Gufbgq6GnYWnhK9eToUfYi2
B16wbzea8sg5PaGavmppXrtfKtKRHCFbxi1VkOGjYq1vMxV19/kzpRgbdc9gxlqW
A3pfsz45nkxRoo97VuZIxk6yhzHLnGeuOPr37QIH0AbQRPu8tfXOG4C7fObpF3fe
OwtXF7bif8yE6wRIGRKvpEBAKmIfKyOWoTBpMyGO7+HHqdO3l1WQB5uqLhAjlRDE
UCU48+LSpQCRqnU/G0tBrNU9zO4rkmLiSxWJ+5UCvNYv6UfhKYBcPkkcF2sIlblB
Qf1dazNUgjNguYDvSWD3dbhAKyJyZQU0bkDEvle4CSpP3kX2ctG8NgZEe0DqE4EF
XxYHdhbTeIil3C/6EpZ6NKt2A9gqW87P1iN2Kt27Snl7beEAnzR1pS32cB45M7Zn
PBdPUgE/7vdNh3+1Md1UyyrJKA2jlz+fVhrbpNuqzKThdKTEcWkyiNm9D8mhOPLr
uUIqkqHuN0BjCRIeML12
=q/Qa
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: