Your message dated Sun, 05 Mar 2017 12:34:03 +0000 with message-id <e1ckvmr-0002nf...@fasolo.debian.org> and subject line Bug#856215: fixed in cdebootstrap 0.7.7 has caused the Debian Bug report #856215, regarding cdebootstrap: since SHA1 removal from Release file, only MD5sums are used to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 856215: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856215 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cdebootstrap Version: 0.5.8 Severity: grave Tags: security stretch sid X-Debbugs-Cc: secur...@debian.org User: debian-rele...@lists.debian.org Usertags: bsp-2017-02-de-Berlin Hi, The current Debian 'testing' release - the upcoming 'stretch' release candidate - removed the SHA1 sums from the Release file. That was intended to deprecate it in favour of SHA256. An unintended consequence is that cdebootstrap, when SHA1 sums are unavailable, falls back to using only the MD5Sum field instead: http://sources.debian.net/src/cdebootstrap/0.7.6/src/check.c/#L79 if (item->sum[1]) return check_sum (target, "sha1sum", item->sum[1], buf_name); if (item->sum[0]) return check_sum (target, "md5sum", item->sum[0], buf_name); Further context and an overview of related bugs will be published at: https://wiki.debian.org/InstallerDebacle Thanks, Regards, -- Steven Chamberlain ste...@pyro.eu.org
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: cdebootstrap Source-Version: 0.7.7 We believe that the bug you reported is fixed in the latest version of cdebootstrap, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 856...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bastian Blank <wa...@debian.org> (supplier of updated cdebootstrap package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 05 Mar 2017 13:09:27 +0100 Source: cdebootstrap Binary: cdebootstrap cdebootstrap-static Architecture: source Version: 0.7.7 Distribution: unstable Urgency: medium Maintainer: Bastian Blank <wa...@debian.org> Changed-By: Bastian Blank <wa...@debian.org> Description: cdebootstrap - Bootstrap a Debian system cdebootstrap-static - Bootstrap a Debian system - static binary Closes: 856212 856213 856215 Changes: cdebootstrap (0.7.7) unstable; urgency=medium . [ Steven Chamberlain ] * Implement SHA256 verification of .deb files. (closes: #856212) * Implement SHA256 verification of Packages files. - Drop fall-back to MD5. (closes: #856215) * Check full length of SHA256 digest. (closes: #856213) . [ Bastian Blank ] * Build-depend against correct version of libdebian-installer4-dev. Checksums-Sha1: 0776bd9e57a39a6a2f3839b5c53bd19548fc52ba 1335 cdebootstrap_0.7.7.dsc a949547d4d300d76174a98e7e1c98be27d40d4b4 56320 cdebootstrap_0.7.7.tar.xz 2c0cdfef6f26d7cf63deec4183d9696a5b9fe765 5260 cdebootstrap_0.7.7_source.buildinfo Checksums-Sha256: 2606f833421c8b4de6f1354ae2cde7f25636669092f1864d6e80788f3b2ea6a7 1335 cdebootstrap_0.7.7.dsc b298efa769e78fdf8830e1802fde9be4c7f0d54640a21953615dc4407de853b8 56320 cdebootstrap_0.7.7.tar.xz 5a9ababd10131ae4e7c0de52b261b639f8a8d4da68fe687080372509030eabbb 5260 cdebootstrap_0.7.7_source.buildinfo Files: 1aec7fb5a440d4ca1184ee98d2f6532e 1335 admin optional cdebootstrap_0.7.7.dsc c4dbae708a90e8a224d6d5dd599e78ef 56320 admin optional cdebootstrap_0.7.7.tar.xz 9d29928977a86a83fc7ba72bded3b911 5260 admin optional cdebootstrap_0.7.7_source.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEER3HMN63jdS1rqjxLbZOIhYpp/lEFAli8ACEACgkQbZOIhYpp /lH0uAf/W3Of39QSi+0yxMYPUV+FvDOmkX7UkDsjfn/kbpX9KRujfCu3iVr/FyKX zqjxZHwbBIwWheskcBNuCpURNMzTVncKQawQ96FvBsxg3Gpep9DHPukywp4V/Icj pYi/YHCA5CmjXdApCeWnj3KmEHbyu+x12L+QKvsAwrHIYhkNYDnG2GHYVpnJLVKA cXTinY5UOf5kHDfTM1Dhb7gNoU3/19qIS445OwIYxXL9K+UbfanVWaCR9oBvpta8 gc79MwdHsQ16jKBJN2JZvcuozKgUBDJuMwASBM+DusOMwKOzbXJpa70dtrNo6a3d DEaxP1jv4VkkosGZ6dCFCFQMSNQ6yw== =dzdC -----END PGP SIGNATURE-----
--- End Message ---
