Bug#819490: debmirror: SHA256 validating of debian-installer files (patch)

2020-07-07 Thread Bastian Germann 
The merge request was open for 1.5 years. The change is enclosed as
patch which applied on 0b94d0df.
From 4b510c506ced96636b973066de270fce707caa35 Mon Sep 17 00:00:00 2001
From: Bastian Germann 
Date: Fri, 22 Feb 2019 23:48:50 +0100
Subject: [PATCH] Download and validate SHA256SUMS (closes: #819490)

---
 debmirror | 67 ++-
 1 file changed, 37 insertions(+), 30 deletions(-)

diff --git a/debmirror b/debmirror
index 2d12e9e..8018ca2 100755
--- a/debmirror
+++ b/debmirror
@@ -1107,8 +1107,7 @@ foreach my $dist (keys %distset) {
   }
 }

-# Get and parse MD5SUMS files for D-I images.
-# (There are not currently other checksums for these.)
+# Get and parse MD5SUMS/SHA256SUMS files for D-I images.
 di_add_files() if @di_dists;

 # Get Packages and Sources files and other miscellany.
@@ -2942,35 +2941,39 @@ sub di_add_files {

   my $image_dir = "dists/$dist/main/installer-$arch/current/images";
   make_dir ("$tdir/$image_dir");
-  if (!remote_get("$image_dir/MD5SUMS", $tdir)) {
-say("Failed to download $image_dir/MD5SUMS; skipping.");
-return;
-  }
-  if (-f "$tdir/$image_dir/MD5SUMS") {
-$bytes_to_get += -s _; # As we did not have the size earlier
-  }

-  local $/;
-  undef $/; # Read whole file
-  open(FILE, "<", "$tdir/$image_dir/MD5SUMS") or die "$tdir/$image_dir/MD5SUMS: $!";
-  $_ = ;
-  while (m/^([A-Za-z0-9]{32}  .*)/mg) {
-my ($md5sum, $filename) = split(' ', $1, 3);
-$filename =~ s:^\./::;
-if(!(defined($include) && ($image_dir."/".$filename)=~/$include/o)) {
-  next if (defined($exclude) && ($image_dir."/".$filename)=~/$exclude/o);
+  foreach my $sums_fname ("SHA256SUMS", "MD5SUMS") {
+my $sum_name = substr($sums_fname, 0, 6);
+if (!remote_get("$image_dir/$sums_fname", $tdir)) {
+  say("Failed to download $image_dir/$sums_fname; skipping.");
+  return;
 }
+if (-f "$tdir/$image_dir/$sums_fname") {
+  $bytes_to_get += -s _; # As we did not have the size earlier
+}
+
+local $/;
+undef $/; # Read whole file
+open(FILE, "<", "$tdir/$image_dir/$sums_fname") or die "$tdir/$image_dir/$sums_fname: $!";
+$_ = ;
+while (m/^([A-Za-z0-9]+  .+)/mg) {
+  my ($checksum, $filename) = split(' ', $1, 3);
+  $filename =~ s:^\./::;
+  if(!(defined($include) && ($image_dir."/".$filename)=~/$include/o)) {
+next if (defined($exclude) && ($image_dir."/".$filename)=~/$exclude/o);
+  }

-$di_files{$image_dir}{$filename}{md5sum} = $md5sum;
+  $di_files{$image_dir}{$filename}{$sum_name} = $checksum;

-# Check against the version currently on the mirror
-if (check_file(filename => "$image_dir/$filename", size => -1, MD5Sum => $md5sum)) {
-  $di_files{$image_dir}{$filename}{status} = 1;
-} else {
-  $di_files{$image_dir}{$filename}{status} = 0;
+  # Check against the version currently on the mirror
+  if (check_file(filename => "$image_dir/$filename", size => -1, $sum_name => $checksum)) {
+$di_files{$image_dir}{$filename}{status} = 1;
+  } else {
+$di_files{$image_dir}{$filename}{status} = 0;
+  }
 }
+close(FILE);
   }
-  close(FILE);
 }
   }
 }
@@ -2989,7 +2992,9 @@ sub di_get_files {
   $file =~ m:(^.*)/:;
   make_dir ("$tdir/$image_dir/$1") if $1;
   if (!remote_get("$image_dir/$file", $tdir) ||
-  !check_file(filename => "$tdir/$image_dir/$file", size => -1, MD5Sum => $di_files{$image_dir}{$file}{md5sum})) {
+  !check_file(filename => "$tdir/$image_dir/$file", size => -1,
+  SHA256 => $di_files{$image_dir}{$file}{SHA256},
+  MD5SUM => $di_files{$image_dir}{$file}{MD5SUM})) {
 $lres = 0;
 last if (! $do_dry_run);
   }
@@ -3007,9 +3012,11 @@ sub di_get_files {
 unlink "$image_dir/$file" if (-f "$image_dir/$file");
 link("$tdir/$image_dir/$file", "$image_dir/$file");
   }
-  # Move the MD5SUMS file in place on mirror
-  unlink "$image_dir/MD5SUMS" if (-f "$image_dir/MD5SUMS");
-  link("$tdir/$image_dir/MD5SUMS", "$image_dir/MD5SUMS");
+  # Move the checksums file in place on mirror
+  foreach my $sums_fname ("SHA256SUMS", "MD5SUMS") {
+unlink "$image_dir/$sums_fname" if (-f "$image_dir/$sums_fname");
+link("$tdir/$image_dir/$sums_fname", "$image_dir/$sums_fname");
+  }
 } elsif (! $do_dry_run) {
   say("Failed to download some files in $image_dir; not updating images.");
 }
@@ -3026,7 +3033,7 @@ sub di_cleanup {
   chomp $file;
   $file=~s:^\./::;
   if (! exists $di_files{$image_dir} || ! exists $di_files{$image_dir}{$file}) {
-next if (exists $di_files{$image_dir} && $file eq "MD5SUMS");
+next if (exists

Bug#819490: debmirror: SHA256 validating of debian-installer files

2019-02-26 Thread Bastian Germann 
Package: debmirror
Tags: patch

Bug#819490: debmirror: SHA256 validating of debian-installer files

2019-02-22 Thread Bastian Germann 
Package: debmirror

Please have a look at
https://salsa.debian.org/debian/debmirror/merge_requests/4
for a fix of this issue.

Bug#819490: debmirror: SHA256 validating of debian-installer files

2016-03-29 Thread Attila K 
Package: debmirror
Version: 1:2.23
Severity: normal

Dear Maintainer,

Presently, debmirror only validates the content of 
dists/$suite/main/installer-$arch/ with the MD5SUMS file. As MD5 is on the way 
being
phased out, it could eventually cause problems, so SHA256 should be preferred 
here also.


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 4.3.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)