Bug#782180: unblock pre-approval: apt-zip/0.18+nmu1

To: Niels Thykier <niels@thykier.net>
Cc: 782180@bugs.debian.org, Eddy Petrișor <eddy.petrisor@gmail.com>, Giacomo Catenazzi <cate@debian.org>
Subject: Bug#782180: unblock pre-approval: apt-zip/0.18+nmu1
From: Axel Beckert <abe@debian.org>
Date: Fri, 10 Apr 2015 02:22:49 +0200
Message-id: <[🔎] 20150410002248.GE3779@sym.noone.org>
Reply-to: Axel Beckert <abe@debian.org>, 782180@bugs.debian.org
In-reply-to: <[🔎] 55261E6E.8010905@thykier.net>
References: <[🔎] 20150409022409.3038.94576.reportbug@c-crosser.deuxchevaux.org> <[🔎] 55261E6E.8010905@thykier.net>

Hi,

Niels Thykier wrote:
> If you are interested in keeping apt-zip in Jessie, then please include
> a fix for #718376 (I promoted it to grave) and also (have the
> maintainers) commit to maintaining it for Jessie as well.

JFTR: I've had a closer look at #718376 and now that I understand the
control flow, I must say that this bug report doesn't look RC to me
anymore. "This package contains some code to verify .deb files
in the wget method, but it only handles data.tar.gz deb members, it's
at least missing support" sounds scary, yes, but isn't:

* The mentioned code is _only_ run if the downloading system doesn't
  have an md5sum command to verify the provided hashsum.

* The mentioned code only checks for damaged files by using the -t
  (test) option of compressors (gzip, bzip2, xz, etc.) and archivers
  (ar, tar).

* Hence the mentioned code is only some kind of last resort if all
  other checks were not available.

So IMHO this neither compromises integrity (if that code is run,
hashsum based integrity checks already have been skipped) nor does it
abort the script (archive format consistency checks are just skipped
in case of unknown formats). I'd say either "normal", or "important"
at most, as it doesn't really cause a "_major_ effect on the usability
of a package, without rendering it completely unusable to everyone".

I can also say that Guillem's untested patch looks good except that it
misses the ";;" inside the case statement.

But I've found another issue while faking a missing md5sum command:

I've tried to fake that by using '[ "`type xmd5sum`" ]' instead of '[
"`type md5sum`" ]', but unfortunately that test still returns true and
goes down the md5sum road -- at least in dash (and zsh, but not in
bash).

I'm though not yet sure where exactly the bashism is hidden nor what
impact it has when not trying to fake a missing md5sum while md5sum
actually is still there.

Will write a separate bug report for the latter issue, probably when
I've got a proper fix for it.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#782180: unblock pre-approval: apt-zip/0.18+nmu1
  - From: Niels Thykier <niels@thykier.net>

References:
- Bug#782180: unblock pre-approval: apt-zip/0.18+nmu1
  - From: Axel Beckert <abe@debian.org>
- Bug#782180: unblock pre-approval: apt-zip/0.18+nmu1
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: NEW changes in stable-new
Next by Date: Bug#782298: unblock: lzlib/1.6-3
Previous by thread: Bug#782180: unblock pre-approval: apt-zip/0.18+nmu1
Next by thread: Bug#782180: unblock pre-approval: apt-zip/0.18+nmu1
Index(es):
- Date
- Thread