[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1108356: unblock: rust-sequoia-sop/0.37.2-1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package rust-sequoia-sop to bring an important
bugfix to trixie (which was only reported upstream because it
was fixed upstream very quickly)

https://gitlab.com/sequoia-pgp/sequoia-sop/-/issues/53
"sqop encrypt is willing to encrypt to a revocation certificate"

[ Reason ]
This (encrypting to an revocation cert) should not work and the
result is nonsense.

[ Impact ]
confusion at best.

[ Tests ]
The package has autopkgtests and has been in sid for 12 days. Also
upstream has an extensive test setup.

[ Risks ]
rust-sequoia-sop is a key package...

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
The debdiff appears a bit large when looking at diffstat, but the actual
changes are just very few lines in src/lib.rs:

$ debdiff rust-sequoia-sop_0.37.1-1.dsc rust-sequoia-sop_0.37.2-1.dsc |diffstat
 .cargo_vcs_info.json               |    2 +-
 Cargo.lock                         |    6 +++---
 Cargo.toml                         |    2 +-
 Cargo.toml.orig                    |    2 +-
 NEWS                               |    5 +++++
 debian/cargo-checksum.json         |    2 +-
 debian/changelog                   |    7 +++++++
 debian/control                     |    8 ++++----
 debian/control.debcargo.hint       |    9 ++++-----
 debian/tests/control               |    9 +++++----
 debian/tests/control.debcargo.hint |   10 +++++-----
 src/lib.rs                         |   16 +++++++++++++++-
 12 files changed, 52 insertions(+), 26 deletions(-)

And there is one change in d/control coming from a change in 
debcargo _which would traverse into the source package on the next
source full upload anyway and which was deemed sensible to do
for trixie_:

 Package: sqop
 Architecture: any
-Multi-Arch: allowed

see "#1103920 debcargo makes rust packages violate future Debian 
policy by default by issuing Multi-Arch: allowed" for the full 
story on this.

The full debdiff is attached.

Thanks for all your work on trixie!


unblock rust-sequoia-sop/0.37.2-1

-- 
cheers,
	Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Try to imagine a future where paying for your morning coffee involved smashing
an iPhone and burning enough fossil fuels to run your entire household for 60
days. That's the environmental cost of the "revolutionary" technology behind
Bitcoin in a nutshell. https://twitter.com/smdiehl/status/1350869944888664064

diff -Nru rust-sequoia-sop-0.37.1/Cargo.lock rust-sequoia-sop-0.37.2/Cargo.lock
--- rust-sequoia-sop-0.37.1/Cargo.lock	1970-01-01 01:00:01.000000000 +0100
+++ rust-sequoia-sop-0.37.2/Cargo.lock	1970-01-01 01:00:01.000000000 +0100
@@ -335,9 +335,9 @@
 
 [[package]]
 name = "crossbeam-channel"
-version = "0.5.14"
+version = "0.5.15"
 source = "registry+https://github.com/rust-lang/crates.io-index";
-checksum = "06ba6d68e24814cb8de6bb986db8222d3a027d15872cabc0d18817bc3c0e4471"
+checksum = "82b8f8f868b36967f9606790d1903570de9ceaf870a7bf9fbbd3016d636a2cb2"
 dependencies = [
  "crossbeam-utils",
 ]
@@ -1352,7 +1352,7 @@
 
 [[package]]
 name = "sequoia-sop"
-version = "0.37.1"
+version = "0.37.2"
 dependencies = [
  "anyhow",
  "sequoia-openpgp",
diff -Nru rust-sequoia-sop-0.37.1/Cargo.toml rust-sequoia-sop-0.37.2/Cargo.toml
--- rust-sequoia-sop-0.37.1/Cargo.toml	1970-01-01 01:00:01.000000000 +0100
+++ rust-sequoia-sop-0.37.2/Cargo.toml	1970-01-01 01:00:01.000000000 +0100
@@ -13,7 +13,7 @@
 edition = "2021"
 rust-version = "1.79"
 name = "sequoia-sop"
-version = "0.37.1"
+version = "0.37.2"
 authors = ["Justus Winter <justus@sequoia-pgp.org>"]
 build = "build.rs"
 autolib = false
diff -Nru rust-sequoia-sop-0.37.1/Cargo.toml.orig rust-sequoia-sop-0.37.2/Cargo.toml.orig
--- rust-sequoia-sop-0.37.1/Cargo.toml.orig	2006-07-24 03:21:28.000000000 +0200
+++ rust-sequoia-sop-0.37.2/Cargo.toml.orig	2006-07-24 03:21:28.000000000 +0200
@@ -1,7 +1,7 @@
 [package]
 name = "sequoia-sop"
 description = "An implementation of the Stateless OpenPGP Interface using Sequoia"
-version = "0.37.1"
+version = "0.37.2"
 authors = [
     "Justus Winter <justus@sequoia-pgp.org>",
 ]
diff -Nru rust-sequoia-sop-0.37.1/.cargo_vcs_info.json rust-sequoia-sop-0.37.2/.cargo_vcs_info.json
--- rust-sequoia-sop-0.37.1/.cargo_vcs_info.json	1970-01-01 01:00:01.000000000 +0100
+++ rust-sequoia-sop-0.37.2/.cargo_vcs_info.json	1970-01-01 01:00:01.000000000 +0100
@@ -1,6 +1,6 @@
 {
   "git": {
-    "sha1": "7cd81f1dd31a7503665794ebe959310864b5307d"
+    "sha1": "b031536c2fc39952ed7c69996e8195eaa447b388"
   },
   "path_in_vcs": ""
 }
\ Kein Zeilenumbruch am Dateiende.
diff -Nru rust-sequoia-sop-0.37.1/debian/cargo-checksum.json rust-sequoia-sop-0.37.2/debian/cargo-checksum.json
--- rust-sequoia-sop-0.37.1/debian/cargo-checksum.json	2025-04-10 10:12:50.000000000 +0200
+++ rust-sequoia-sop-0.37.2/debian/cargo-checksum.json	2025-06-14 13:33:01.000000000 +0200
@@ -1 +1 @@
-{"package":"93ebed43fc546f1a8e18a6e4d51b2174be2993a413104c44d08a78b7bf4ee7a1","files":{}}
+{"package":"f90b7a5e6e3333928338cd68a9caafb5803fda819d551ab7d5e14d8b01010a70","files":{}}
diff -Nru rust-sequoia-sop-0.37.1/debian/changelog rust-sequoia-sop-0.37.2/debian/changelog
--- rust-sequoia-sop-0.37.1/debian/changelog	2025-04-10 10:12:50.000000000 +0200
+++ rust-sequoia-sop-0.37.2/debian/changelog	2025-06-14 13:33:01.000000000 +0200
@@ -1,3 +1,10 @@
+rust-sequoia-sop (0.37.2-1) unstable; urgency=medium
+
+  * Package sequoia-sop 0.37.2 from crates.io using debcargo 2.7.8
+    - fixes https://gitlab.com/sequoia-pgp/sequoia-sop/-/issues/53
+
+ -- Holger Levsen <holger@debian.org>  Sat, 14 Jun 2025 13:33:01 +0200
+
 rust-sequoia-sop (0.37.1-1) unstable; urgency=medium
 
   * Package sequoia-sop 0.37.1 from crates.io using debcargo 2.7.8
diff -Nru rust-sequoia-sop-0.37.1/debian/control rust-sequoia-sop-0.37.2/debian/control
--- rust-sequoia-sop-0.37.1/debian/control	2025-04-10 10:12:50.000000000 +0200
+++ rust-sequoia-sop-0.37.2/debian/control	2025-06-14 13:33:01.000000000 +0200
@@ -51,10 +51,10 @@
  librust-sequoia-sop-0.37+cli-dev (= ${binary:Version}),
  librust-sequoia-sop-0.37+cliv-dev (= ${binary:Version}),
  librust-sequoia-sop-0.37+default-dev (= ${binary:Version}),
- librust-sequoia-sop-0.37.1-dev (= ${binary:Version}),
- librust-sequoia-sop-0.37.1+cli-dev (= ${binary:Version}),
- librust-sequoia-sop-0.37.1+cliv-dev (= ${binary:Version}),
- librust-sequoia-sop-0.37.1+default-dev (= ${binary:Version})
+ librust-sequoia-sop-0.37.2-dev (= ${binary:Version}),
+ librust-sequoia-sop-0.37.2+cli-dev (= ${binary:Version}),
+ librust-sequoia-sop-0.37.2+cliv-dev (= ${binary:Version}),
+ librust-sequoia-sop-0.37.2+default-dev (= ${binary:Version})
 Description: Stateless OpenPGP Command Line Interface using Sequoia - Rust source code
  sqop offers a Rust-based implementation of the Stateless OpenPGP
  Command Line Interface.
diff -Nru rust-sequoia-sop-0.37.1/debian/control.debcargo.hint rust-sequoia-sop-0.37.2/debian/control.debcargo.hint
--- rust-sequoia-sop-0.37.1/debian/control.debcargo.hint	2025-04-10 10:12:50.000000000 +0200
+++ rust-sequoia-sop-0.37.2/debian/control.debcargo.hint	2025-06-14 13:33:01.000000000 +0200
@@ -49,10 +49,10 @@
  librust-sequoia-sop-0.37+cli-dev (= ${binary:Version}),
  librust-sequoia-sop-0.37+cliv-dev (= ${binary:Version}),
  librust-sequoia-sop-0.37+default-dev (= ${binary:Version}),
- librust-sequoia-sop-0.37.1-dev (= ${binary:Version}),
- librust-sequoia-sop-0.37.1+cli-dev (= ${binary:Version}),
- librust-sequoia-sop-0.37.1+cliv-dev (= ${binary:Version}),
- librust-sequoia-sop-0.37.1+default-dev (= ${binary:Version})
+ librust-sequoia-sop-0.37.2-dev (= ${binary:Version}),
+ librust-sequoia-sop-0.37.2+cli-dev (= ${binary:Version}),
+ librust-sequoia-sop-0.37.2+cliv-dev (= ${binary:Version}),
+ librust-sequoia-sop-0.37.2+default-dev (= ${binary:Version})
 Description: Stateless OpenPGP Command Line Interface using Sequoia - Rust source code
  sqop offers a Rust-based implementation of the Stateless OpenPGP
  Command Line Interface.
@@ -65,7 +65,6 @@
 
 Package: sqop
 Architecture: any
-Multi-Arch: allowed
 Section: utils
 Depends:
  ${misc:Depends},
diff -Nru rust-sequoia-sop-0.37.1/debian/tests/control rust-sequoia-sop-0.37.2/debian/tests/control
--- rust-sequoia-sop-0.37.1/debian/tests/control	2025-04-10 10:12:50.000000000 +0200
+++ rust-sequoia-sop-0.37.2/debian/tests/control	2025-06-14 13:33:01.000000000 +0200
@@ -1,14 +1,15 @@
-Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.1 --all-targets --features cli
+Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.2 --all-targets --features cli
 Features: test-name=librust-sequoia-sop-dev:cli
 Depends: dh-cargo (>= 31), rustc (>= 1.79), @
 Restrictions: allow-stderr, skip-not-installable
 
-Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.1 --all-targets --features cliv
-Features: test-name=librust-sequoia-sop-dev:cli
+Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.2 --all-targets --features cliv
+Features: test-name=librust-sequoia-sop-dev:cliv
 Depends: dh-cargo (>= 31), rustc (>= 1.79), @
 Restrictions: allow-stderr, skip-not-installable
 
-Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.1 --all-targets
+Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.2 --all-targets
 Features: test-name=librust-sequoia-sop-dev:default
 Depends: dh-cargo (>= 31), rustc (>= 1.79), @
 Restrictions: allow-stderr, skip-not-installable
+
diff -Nru rust-sequoia-sop-0.37.1/debian/tests/control.debcargo.hint rust-sequoia-sop-0.37.2/debian/tests/control.debcargo.hint
--- rust-sequoia-sop-0.37.1/debian/tests/control.debcargo.hint	2025-04-10 10:12:50.000000000 +0200
+++ rust-sequoia-sop-0.37.2/debian/tests/control.debcargo.hint	2025-06-14 13:33:01.000000000 +0200
@@ -1,24 +1,24 @@
-Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.1 --all-targets --all-features
+Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.2 --all-targets --all-features
 Features: test-name=rust-sequoia-sop:@
 Depends: dh-cargo (>= 31), rustc (>= 1.79), @
 Restrictions: allow-stderr, skip-not-installable
 
-Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.1 --all-targets --no-default-features --features cli
+Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.2 --all-targets --no-default-features --features cli
 Features: test-name=librust-sequoia-sop-dev:cli
 Depends: dh-cargo (>= 31), rustc (>= 1.79), @
 Restrictions: allow-stderr, skip-not-installable
 
-Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.1 --all-targets --no-default-features --features cliv
+Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.2 --all-targets --no-default-features --features cliv
 Features: test-name=librust-sequoia-sop-dev:cliv
 Depends: dh-cargo (>= 31), rustc (>= 1.79), @
 Restrictions: allow-stderr, skip-not-installable
 
-Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.1 --all-targets
+Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.2 --all-targets
 Features: test-name=librust-sequoia-sop-dev:default
 Depends: dh-cargo (>= 31), rustc (>= 1.79), @
 Restrictions: allow-stderr, skip-not-installable
 
-Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.1 --all-targets --no-default-features
+Test-Command: /usr/share/cargo/bin/cargo-auto-test sequoia-sop 0.37.2 --all-targets --no-default-features
 Features: test-name=librust-sequoia-sop-dev:
 Depends: dh-cargo (>= 31), rustc (>= 1.79), @
 Restrictions: allow-stderr, skip-not-installable
diff -Nru rust-sequoia-sop-0.37.1/NEWS rust-sequoia-sop-0.37.2/NEWS
--- rust-sequoia-sop-0.37.1/NEWS	2006-07-24 03:21:28.000000000 +0200
+++ rust-sequoia-sop-0.37.2/NEWS	2006-07-24 03:21:28.000000000 +0200
@@ -2,6 +2,11 @@
 #+TITLE: sequoia-sop NEWS – history of user-visible changes
 #+STARTUP: content hidestars
 
+* Changes in 0.37.2
+** Notable changes
+   - We now refuse to encrypt to expired certs, and refuse to use
+     expired keys for certifying or signing.
+
 * Changes in 0.37.1
 ** Notable changes
    - The default key generation profile is now
diff -Nru rust-sequoia-sop-0.37.1/src/lib.rs rust-sequoia-sop-0.37.2/src/lib.rs
--- rust-sequoia-sop-0.37.1/src/lib.rs	2006-07-24 03:21:28.000000000 +0200
+++ rust-sequoia-sop-0.37.2/src/lib.rs	2006-07-24 03:21:28.000000000 +0200
@@ -637,7 +637,7 @@
     fn keys(self: Box<Self>, keys: &Keys) -> Result<Certs<'s>> {
         let mut results = vec![];
         for key in &keys.keys {
-            // Get the primary singer.
+            // Get the primary signer.
             let mut primary = match key.primary_key().key().parts_as_secret() {
                 Ok(p) => p.clone(),
                 Err(_) => return Err(Error::BadData),
@@ -820,6 +820,11 @@
             // XXX: https://gitlab.com/dkg/openpgp-stateless-cli/-/issues/119
                 .map_err(|_| Error::KeyCannotSign)?;
 
+            if let RevocationStatus::Revoked(_) = vcert.revocation_status() {
+                // XXX: https://gitlab.com/dkg/openpgp-stateless-cli/-/issues/119
+                return Err(Error::KeyCannotSign);
+            }
+
             let mut one = false;
             for ka in vcert.keys()
                 .supported()
@@ -1046,6 +1051,11 @@
         let vcert =
             cert.with_policy(self.sqop.policy, None)
             .map_err(|_| Error::KeyCannotSign)?;
+
+        if let RevocationStatus::Revoked(_) = vcert.revocation_status() {
+            return Err(Error::KeyCannotSign);
+        }
+
         if let Some(p) = vcert.preferred_hash_algorithms() {
             self.hash_algos.retain(|a| p.contains(a));
         }
@@ -1330,6 +1340,10 @@
         let vcert = cert.with_policy(self.sign.sqop.policy, None)
             .map_err(|_| Error::CertCannotEncrypt)?;
 
+        if let RevocationStatus::Revoked(_) = vcert.revocation_status() {
+            return Err(Error::CertCannotEncrypt);
+        }
+
         // If the recipients has preferences, compute the
         // intersection with our list.
         if let Some(p) = vcert.preferred_hash_algorithms() {

Attachment: signature.asc
Description: PGP signature

Reply to: