Package: lintian
Tags: patch
Hello,
As discussed on debian-devel[1], md5sum is not secure anymore and no one
should rely on it for security purposes (which some people do).
Please find a patch attached that allow (and recommends) to provide
sha256sums. (During a transition period, we encourage people to
provide both SHA and MD5, so existing setup don't get broken).
The overall status of enabling SHA256 is tracked on the page[2].
Your feedback is welcome (feel free to hack my patch as appropriate),
Thanks,
Franklin
[1] http://lists.debian.org/debian-devel/2010/03/msg00038.html
[2] http://wiki.debian.org/Sha256sumsInPackages
From b6566aebe1bc44eaf6339e779ebed09da8a2b835 Mon Sep 17 00:00:00 2001
From: Frank Lin PIAT fp...@klabs.be
Date: Mon, 8 Mar 2010 19:02:22 +0100
Subject: [PATCH] Allow and recommend sha256sums
---
checks/control-files|1 +
checks/sha256sums | 124 +++
checks/sha256sums.desc | 63 ++
collection/sha256sums | 59 +
collection/sha256sums.desc |7 ++
data/debhelper/dh_commands |1 +
t/COVERAGE |6 ++
t/debs/deb-format-ancient-file/Makefile |5 +-
t/debs/deb-format-extra-member/Makefile |5 +-
t/debs/deb-format-lzma/Makefile |5 +-
t/debs/deb-format-record-size/Makefile |5 +-
t/debs/deb-format-wrong-order/Makefile |5 +-
t/debs/description-synopsis-spaces/Makefile |5 +-
t/debs/fields-malformed-source/Makefile |5 +-
t/debs/fields-obsolete-relation/Makefile|5 +-
testset/binary/debian/rules |3 +-
testset/etcfiles/debian/rules | 17
testset/tags.binary |2 +
testset/tags.etcfiles |5 +
testset/tags.filenames |3 +
testset/tags.foo++ |1 +
testset/tags.libbaz |5 +
testset/tags.maintainer-scripts |1 +
testset/tags.scripts|1 +
24 files changed, 322 insertions(+), 17 deletions(-)
create mode 100644 checks/sha256sums
create mode 100644 checks/sha256sums.desc
create mode 100755 collection/sha256sums
create mode 100644 collection/sha256sums.desc
diff --git a/checks/control-files b/checks/control-files
index 5a42c77..4bd12f2 100644
--- a/checks/control-files
+++ b/checks/control-files
@@ -34,6 +34,7 @@ my %ctrl_deb =
postrm= 0755,
prerm = 0755,
shlibs= 0644,
+ sha256sums = 0644,
symbols = 0644,
templates = 0644,
triggers = 0644);
diff --git a/checks/sha256sums b/checks/sha256sums
new file mode 100644
index 000..91584d3
--- /dev/null
+++ b/checks/sha256sums
@@ -0,0 +1,124 @@
+# sha256sums -- lintian check script -*- perl -*-
+
+# Copyright (C) 1998 Christian Schwarz and Richard Braakman
+# Copyright (C) 2010 Frank Lin PIAT
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, you can find it on the World Wide
+# Web at http://www.gnu.org/copyleft/gpl.html, or write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+# MA 02110-1301, USA.
+
+package Lintian::sha256sums;
+use strict;
+
+use Lintian::Tags qw(tag);
+use Util;
+
+sub run {
+
+my $pkg = shift;
+my $type = shift;
+
+my $control = control/sha256sums;
+
+my %control_entry;
+my %info_entry;
+my %conffile;
+
+# read in sha256sums info file
+open(C, '', sha256sums) or fail(cannot open sha256sums info file: $!);
+while (C) {
+chop;
+next if m/^\s*$/;
+m/^(\S+)\s*(\S.*)$/ or fail(syntax error in sha256sums info file: $_);
+my $zzsum = $1;
+my $zzfile = $2;
+$zzfile =~ s,^(\./)?,,;
+$info_entry{$zzfile} = $zzsum;
+}
+close(C);
+
+# read in conffiles
+if (-f control/conffiles) {
+open(C, '', control/conffiles)
+ or fail(cannot open control file conffiles: $!);
+while (C) {
+ chop;
+ next if m/^\s*$/;
+ s,^/,,;
+ $conffile{$_} = 1;
+}
+close(C);
+}
+
+# Is there a sha256sums control file?
+unless (-f $control) {
+# ignore if package contains no files
+return 0 if -z sha256sums;
+
+# check if package contains non-conffiles
+# debhelper doesn't create entries in sha256sums
+# for conffiles since