Bug#573088: Allow and recommend sha256sums control file

[Niels Thykier]

tags 573088 moreinfo
thanks

Hey,

Not sure what is happening with this bug, so I am tagging it moreinfo
for now.

~Niels




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#573088: Allow and recommend sha256sums control file

[Raphael Hertzog]

On Mon, 08 Mar 2010, Frank Lin PIAT wrote:
 Please find a patch attached that allow (and recommends) to provide
 sha256sums. (During a transition period, we encourage people to
 provide both SHA and MD5, so existing setup don't get broken).

I'm not sure we should push for this right now. On the dpkg Roadmap,
there's already stuff concerning all this:

http://wiki.debian.org/Teams/Dpkg/RoadMap
Merge back debsums:
* Generate checksums at build and install time. 
http://bugs.debian.org/155676
* Store metadata from .deb at install time.
* Add a new dpkg-foo to verify, restore, etc metadata. 

Cheers,
-- 
Raphaël Hertzog

Like what I do? Sponsor me: http://ouaza.com/wp/2010/01/05/5-years-of-freexian/
My Debian goals: http://ouaza.com/wp/2010/01/09/debian-related-goals-for-2010/



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#573088: Allow and recommend sha256sums control file

[Frank Lin PIAT]

Hello Raphael,

On Fri, 2010-03-19 at 09:04 +0100, Raphael Hertzog wrote:
 On Mon, 08 Mar 2010, Frank Lin PIAT wrote:
  Please find a patch attached that allow (and recommends) to provide
  sha256sums. (During a transition period, we encourage people to
  provide both SHA and MD5, so existing setup don't get broken).
 
 I'm not sure we should push for this right now. On the dpkg Roadmap,
 there's already stuff concerning all this:
 
 http://wiki.debian.org/Teams/Dpkg/RoadMap
 Merge back debsums:
 * Generate checksums at build and install time. 
 http://bugs.debian.org/155676
 * Store metadata from .deb at install time.
 * Add a new dpkg-foo to verify, restore, etc metadata. 

I wasn't aware of that roadmap.

I am actually working on an improved proposal, that goes far beyond
checksumming, because checksumming isn't enough for security purpose.
(file permissions, owner, symlinks...)

Knowing what we want to do is one thing, knowing where we do it is
another issue. We can solve one problem at a time.

Thank you for pointing this,

Franklin

--
... Unix philosophy: do one thing only, and do it well.




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#573088: Allow and recommend sha256sums control file

[Frank Lin PIAT]

Package: lintian
Tags: patch

Hello,

As discussed on debian-devel[1], md5sum is not secure anymore and no one
should rely on it for security purposes (which some people do).

Please find a patch attached that allow (and recommends) to provide
sha256sums. (During a transition period, we encourage people to
provide both SHA and MD5, so existing setup don't get broken).

The overall status of enabling SHA256 is tracked on the page[2].

Your feedback is welcome (feel free to hack my patch as appropriate),

Thanks,

Franklin


[1] http://lists.debian.org/debian-devel/2010/03/msg00038.html
[2] http://wiki.debian.org/Sha256sumsInPackages
From b6566aebe1bc44eaf6339e779ebed09da8a2b835 Mon Sep 17 00:00:00 2001
From: Frank Lin PIAT fp...@klabs.be
Date: Mon, 8 Mar 2010 19:02:22 +0100
Subject: [PATCH] Allow and recommend sha256sums

---
 checks/control-files|1 +
 checks/sha256sums   |  124 +++
 checks/sha256sums.desc  |   63 ++
 collection/sha256sums   |   59 +
 collection/sha256sums.desc  |7 ++
 data/debhelper/dh_commands  |1 +
 t/COVERAGE  |6 ++
 t/debs/deb-format-ancient-file/Makefile |5 +-
 t/debs/deb-format-extra-member/Makefile |5 +-
 t/debs/deb-format-lzma/Makefile |5 +-
 t/debs/deb-format-record-size/Makefile  |5 +-
 t/debs/deb-format-wrong-order/Makefile  |5 +-
 t/debs/description-synopsis-spaces/Makefile |5 +-
 t/debs/fields-malformed-source/Makefile |5 +-
 t/debs/fields-obsolete-relation/Makefile|5 +-
 testset/binary/debian/rules |3 +-
 testset/etcfiles/debian/rules   |   17 
 testset/tags.binary |2 +
 testset/tags.etcfiles   |5 +
 testset/tags.filenames  |3 +
 testset/tags.foo++  |1 +
 testset/tags.libbaz |5 +
 testset/tags.maintainer-scripts |1 +
 testset/tags.scripts|1 +
 24 files changed, 322 insertions(+), 17 deletions(-)
 create mode 100644 checks/sha256sums
 create mode 100644 checks/sha256sums.desc
 create mode 100755 collection/sha256sums
 create mode 100644 collection/sha256sums.desc

diff --git a/checks/control-files b/checks/control-files
index 5a42c77..4bd12f2 100644
--- a/checks/control-files
+++ b/checks/control-files
@@ -34,6 +34,7 @@ my %ctrl_deb =
  postrm= 0755,
  prerm = 0755,
  shlibs= 0644,
+ sha256sums   = 0644,
  symbols   = 0644,
  templates = 0644,
  triggers  = 0644);
diff --git a/checks/sha256sums b/checks/sha256sums
new file mode 100644
index 000..91584d3
--- /dev/null
+++ b/checks/sha256sums
@@ -0,0 +1,124 @@
+# sha256sums -- lintian check script -*- perl -*-
+
+# Copyright (C) 1998 Christian Schwarz and Richard Braakman
+# Copyright (C) 2010 Frank Lin PIAT
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, you can find it on the World Wide
+# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+# MA 02110-1301, USA.
+
+package Lintian::sha256sums;
+use strict;
+
+use Lintian::Tags qw(tag);
+use Util;
+
+sub run {
+
+my $pkg = shift;
+my $type = shift;
+
+my $control = control/sha256sums;
+
+my %control_entry;
+my %info_entry;
+my %conffile;
+
+# read in sha256sums info file
+open(C, '', sha256sums) or fail(cannot open sha256sums info file: $!);
+while (C) {
+chop;
+next if m/^\s*$/;
+m/^(\S+)\s*(\S.*)$/ or fail(syntax error in sha256sums info file: $_);
+my $zzsum = $1;
+my $zzfile = $2;
+$zzfile =~ s,^(\./)?,,;
+$info_entry{$zzfile} = $zzsum;
+}
+close(C);
+
+# read in conffiles
+if (-f control/conffiles) {
+open(C, '', control/conffiles)
+   or fail(cannot open control file conffiles: $!);
+while (C) {
+   chop;
+   next if m/^\s*$/;
+   s,^/,,;
+   $conffile{$_} = 1;
+}
+close(C);
+}
+
+# Is there a sha256sums control file?
+unless (-f $control) {
+# ignore if package contains no files
+return 0 if -z sha256sums;
+
+# check if package contains non-conffiles
+# debhelper doesn't create entries in sha256sums
+# for conffiles since