Control: retitle -1 lintian: Check for weak digest algorithms in source packages
Hi Daniel, thanks for your comments. Daniel Kahn Gillmor wrote: > On Sat 2016-05-21 04:57:15 -0400, Axel Beckert wrote: > > during the (ongoing) Debian Perl Team Sprint, one of the discussed > > topics was dpkg-source now issuing warnings about weak signatures when > > extracting source packages. (For some time, in versions1.18.5 and > > 1.18.6, it even bailed out, failing to extract source packages as they > > are currently in Sid -- which is the reason why the default was reverted > > and it only prints a warning since 1.18.7.) Some more context is in > > https://bugs.debian.org/823428 > > fwiw, the lintian check you propose is actually a check for a weak > digest algorithm in the manifest that a .dsc or .changes file > represents. Correct. But the currently implemented variant only checks .dsc files. I wonder if it makes sense to broaden that check to also check .changes files: * AFAIK the archive does not contain/archive .changes files, i.e. the check will not trigger for the archive wide tests as published on lintian.debian.org. * Current dpkg-genchanges versions don't generate changes files without strong digest algorithms. So this would only make sense, if * Someone uses a current lintian version with an ancient dpkg-dev version. Why should someone? And if so, he can't fix it except by using a more modern dpkg-dev version. * Someone tests the result of an alternative dpkg(-dev) implementation by checking the results with lintian. AFAIK no such implementation exists. * Someone uploads a package built with an ancient dpkg-dev version to ftp.debian.org and there is not yet a check for weak digest at that point. > It does *not* cover any test for a weak signature (so the > subject line of this bug report is a little off. Fixed. But that misleading Subject does exist for a reason. See below. > I'd name the message no-strong-digests-in-dsc, rather than > no-strong-checksums-in-dsc, but i'd be fine with it as it stands. We still have the chance to do that as no lintian version has been released since I initially committed the code. So I changed and pushed it. > fwiw, a signed .dsc file itself might also use a weak digest algorithm > in its signature itself. Correct. About the first two hours working on an implementation for that check I actually tried to check that -- until I realised that it's nearly impossible to get that information out of GnuPG, not to speak about the three Perl interfaces to GnuPG I looked at. Only then I realised that the proposer(s) meant something different. That's probably why the Subject was misleading initially -- I was misled, too. :-) > I'd love to see an additional check for that, but i guess that's a > separate question. And it probably would be a performance penalty, because Lintian currently passes options to dpkg-source to bypass all (GnuPG) signature checks. Checking them will cost quite some more time. This might not be so much of an issue when checking single packages, but it will be an issue when rechecking all packages in the archive on lintian.debian.org. Additionally, Lintian would also need a keyring with all the relevant keys -- especially for source packages in the archive, as they may be signed with no more valid keys or keys removed from the keyring. > > An affected example source package is libclass-default-perl_1.51-2.dsc > > from the archive: last uploaded in 2008. Actually, this example package is a very good example, because it represents both issues mentioned above: * It's signed with a 1024 bits key no more in the keyring. * The key has been revoked because it was considered compromised. > It would be a very good thing indeed, thanks for suggesting it. IIRC the credit for the idea go to Niko Tyni. :-) > > Following is my patch so far (without the test case). I'm not sure if > > the severity "serious" is the proper value, so please feel free to > > comment on that. > > I agree that it is "serious". This is 2016, we should be requiring > strong digests. Good. Let's leave it that way. :-) Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE