https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7621
Bug ID: 7621
Summary: GPG signature should be sufficient for update
Product: Spamassassin
Version: 3.4.2
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: sa-update
Assignee: dev@spamassassin.apache.org
Reporter: bluew...@xinu.at
Target Milestone: Undefined
I've just upgraded to 3.4.2 and noticed that some third-party channels fail to
update. Apparently they only provide a SHA1 hash and no 256 or 512 hashes. They
also provide a GPG signature.
I wonder why sa-update requires both, a hash and the GPG signature, if GPG
support is enabled. The GPG signatures provides much stronger verification than
a simple hash so I think it should be sufficient for accepting a channel.
The relevant code part is line 799 in sa-update which reads: "unless ($content
&& ( $SHA512 || $SHA256 ) && (!$GPG_ENABLED || $GPG)) {"
An example log for the ZMI channel:
Sep 17 14:55:05.459 [3195] dbg: channel: selected mirror
http://zmi.sa-channels.pccc.com
Sep 17 14:55:05.459 [3195] dbg: http: url:
http://zmi.sa-channels.pccc.com/398.tar.gz
Sep 17 14:55:05.459 [3195] dbg: http: downloading to:
/var/lib/spamassassin/3.004002/sa_zmi_at/398.tar.gz, update
Sep 17 14:55:05.459 [3195] dbg: util: executable for curl was found at
/usr/bin/curl
Sep 17 14:55:05.459 [3195] dbg: http: /usr/bin/curl -s -L -O --remote-time -g
--max-redirs 2 --connect-timeout 30 --max-time 300 --fail -o 398.tar.gz -z
398.tar.gz -- http://zmi.sa-channels.pccc.com/398.tar.gz
Sep 17 14:55:05.872 [3195] dbg: http: process [3233], exit status: exit 0
Sep 17 14:55:05.872 [3195] dbg: http: url:
http://zmi.sa-channels.pccc.com/398.tar.gz.sha512
Sep 17 14:55:05.872 [3195] dbg: http: downloading to:
/var/lib/spamassassin/3.004002/sa_zmi_at/398.tar.gz.sha512, new
Sep 17 14:55:05.873 [3195] dbg: util: executable for curl was found at
/usr/bin/curl
Sep 17 14:55:05.873 [3195] dbg: http: /usr/bin/curl -s -L -O --remote-time -g
--max-redirs 2 --connect-timeout 30 --max-time 300 --fail -o 398.tar.gz.sha512
-- http://zmi.sa-channels.pccc.com/398.tar.gz.sha512
Sep 17 14:55:06.070 [3195] dbg: http: process [3235], exit status: exit 22
Sep 17 14:55:06.071 [3195] dbg: channel: No sha512 file available from
http://zmi.sa-channels.pccc.com
Sep 17 14:55:06.071 [3195] dbg: http: url:
http://zmi.sa-channels.pccc.com/398.tar.gz.sha256
Sep 17 14:55:06.071 [3195] dbg: http: downloading to:
/var/lib/spamassassin/3.004002/sa_zmi_at/398.tar.gz.sha256, new
Sep 17 14:55:06.071 [3195] dbg: util: executable for curl was found at
/usr/bin/curl
Sep 17 14:55:06.071 [3195] dbg: http: /usr/bin/curl -s -L -O --remote-time -g
--max-redirs 2 --connect-timeout 30 --max-time 300 --fail -o 398.tar.gz.sha256
-- http://zmi.sa-channels.pccc.com/398.tar.gz.sha256
Sep 17 14:55:06.267 [3195] dbg: http: process [3238], exit status: exit 22
Sep 17 14:55:06.267 [3195] dbg: channel: No sha256 file available from
http://zmi.sa-channels.pccc.com
Sep 17 14:55:06.267 [3195] dbg: http: url:
http://zmi.sa-channels.pccc.com/398.tar.gz.asc
Sep 17 14:55:06.267 [3195] dbg: http: downloading to:
/var/lib/spamassassin/3.004002/sa_zmi_at/398.tar.gz.asc, update
Sep 17 14:55:06.267 [3195] dbg: util: executable for curl was found at
/usr/bin/curl
Sep 17 14:55:06.267 [3195] dbg: http: /usr/bin/curl -s -L -O --remote-time -g
--max-redirs 2 --connect-timeout 30 --max-time 300 --fail -o 398.tar.gz.asc -z
398.tar.gz.asc -- http://zmi.sa-channels.pccc.com/398.tar.gz.asc
Sep 17 14:55:06.467 [3195] dbg: http: process [3252], exit status: exit 0
channel: could not find working mirror, channel failed
--
You are receiving this mail because:
You are the assignee for the bug.
