tags 270439 + patch thanks The attached patch adds proper checking to downloaded sources. This applies to current CVS, or sbuild 0.42 and other recent versions.
The first hunk takes care of verifying already downloaded sources. If
this fails, it downloads them again. This fixes the main issue.
The second hunk verifies /all/ sources prior to a build. This has the
effect of requiring all .dsc files to verify and be signed.
Currently, we do allow unsigned .dsc files.
The second hunk changes the behaviour of sbuild, but does make it more
secure.
Comments?
Regards,
Roger
--
Roger Leigh
Printing on GNU/Linux? http://gutenprint.sourceforge.net/
Debian GNU/Linux http://www.debian.org/
GPG Public Key: 0x25BFB848. Please sign and encrypt your mail.
Index: sbuild
===================================================================
RCS file: /cvsroot/buildd-tools/sbuild/sbuild,v
retrieving revision 1.96
diff -u -r1.96 sbuild
--- sbuild 12 Mar 2006 18:43:24 -0000 1.96
+++ sbuild 13 Mar 2006 12:08:19 -0000
@@ -473,7 +473,7 @@
if (!defined($dir) || $dir ne ".") {
{
- if (-f "${pkgv}.dsc") {
+ if (-f "${pkgv}.dsc" && !run_command("dscverify ${pkgv}.dsc >/dev/null", $main::username, 0, 0)) {
print PLOG "${pkgv}.dsc exists in cwd\n";
}
else {
@@ -538,6 +538,10 @@
}
}
+ if (run_command("dscverify $dscfile >/dev/null", $main::username, 0, 0)) {
+ return( "ERROR", @made );
+ }
+
if (!open( F, "<$dscfile" )) {
print PLOG "Can't open $dscfile: $!\n";
return( "ERROR", @made );
pgpDPFYOzrz65.pgp
Description: PGP signature
