Package: dput
Version: 1.2.2
Severity: important
Tags: patch
Dear Maintainer,
dput.cf(5) documents a "hash" configuration option, for which "md5" and
"sha" are valid values. The default is "md5". When this option is set
to "sha", dput fails with an error:
$ dput -d local test_0.0.0-1_amd64.changes
[...]
D: File to upload: test_0.0.0-1.dsc
D: Checksum from .changes: 3fb0b53ffd9188eb1115e532c9fcb1f2
D: Generated Checksum: fd3c230d8450f122bc88cb1b19c05f020e969daa
Checksum doesn't match for test_0.0.0-1.dsc
This failure is due to an oversight in dput.py. In the verify_files
function, dput retrieves the hash configuration value and passes it to
checksum_test, which uses the corresponding function from hashlib to
calculate a checksum for a file. When verify_files tests to see that
the checksum is as expected, it always refers to the "Files" section
of the .changes file. This section contains only MD5 checksums; the
SHA-1 checksums are in a separate section, "Checksums-Sha1".
I've confirmed that this issue affects Debian 12.7 (dput 1.1.3) and sid
(dput 1.2.2). I've attached a patch for dput 1.2.2 that fixes the
issue.
Cheers,
Branen
-- System Information:
Debian Release: 12.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: armel
Kernel: Linux 6.1.0-25-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dput depends on:
ii python3 3.11.2-1+b1
ii python3-debian 0.1.49
ii python3-gpg 1.18.0-3+b1
ii python3-pkg-resources 66.1.1-1
ii python3-xdg 0.28-2
dput recommends no packages.
Versions of packages dput suggests:
ii lintian 2.116.3
ii mini-dinstall 0.7.2
ii openssh-client 1:9.2p1-2+deb12u3
ii rsync 3.2.7-1
Versions of packages dput is related to:
ii devscripts 2.23.4+deb12u1
ii gnupg 2.2.40-1.1
ii lintian 2.116.3
ii rsync 3.2.7-1
pn ssh <none>
-- no debconf information
--- old/dput.py 2024-07-18 02:08:29.000000000 -0400
+++ new/dput.py 2024-10-05 23:38:27.834995938 -0400
@@ -370,15 +370,29 @@
debug)
# Check the sources
(include_orig_tar_gz, include_tar_gz) = source_check(changes, debug)
- # Check md5sum and the size
- file_list = changes['files'].strip().split("\n")
+ # Check file checksum and size
hash_name = config.get('DEFAULT', 'hash')
+ def file_spec_splitter(file_spec):
+ (check_sum, size, file_name) = file_spec.split()
+ return (check_sum, size, file_name)
+ if hash_name == 'md5':
+ checksum_section = 'files'
+ def file_spec_splitter(file_spec):
+ (check_sum, size, section, priority, file_name) = file_spec.split()
+ return (check_sum, size, file_name)
+ elif hash_name == 'sha':
+ checksum_section = 'checksums-sha1'
+ else:
+ sys.stderr.write("Invalid hash name: {}\n".format(hash_name))
+ sys.exit(1)
+
+ file_list = changes[checksum_section].strip().split("\n")
for file_spec in file_list:
- (check_sum, size, section, priority, file_name) = file_spec.split()
+ (check_sum, size, file_name) = file_spec_splitter(file_spec)
file_path = os.path.join(changes_file_directory, file_name)
if debug:
sys.stdout.write("D: File to upload: {}\n".format(file_path))
if checksum_test(file_path, hash_name) != check_sum:
if debug:
