Hi, #508111 highlighted a bug in debsign where a temporary file was generated with a predictable filename due to an incorrect mktemp(1) call.
Whilst it doesn't appear that it can be used to overwrite files, if a file of the same name from an earlier attempt to sign the same file (for instance because the first attempt failed during a gpg call) exists then debsign will block forever as mktemp will never return. The bug was introduced a little while before the freeze and given the size of the diff it was suggested that it might be fixable via t-p-u. I've attached a minimal debdiff against the lenny version of devscripts for consideration. Thanks, Adam
diff -Nru devscripts-2.10.35/debian/changelog devscripts-2.10.35/debian/changelog --- devscripts-2.10.35/debian/changelog 2008-07-26 21:57:49.000000000 +0100 +++ devscripts-2.10.35/debian/changelog 2008-12-12 18:25:06.000000000 +0000 @@ -1,3 +1,12 @@ +devscripts (2.10.35-lenny1) testing; urgency=low + + * debsign: Fix a mktemp call to actually generate unique filenames and + avoid blocking forever if the file already exists (for example + because a previous attempt to sign had failed during the GPG phase). + See Debian bug #508111. + + -- Adam D. Barratt <[email protected]> Fri, 12 Dec 2008 18:19:35 +0000 + devscripts (2.10.35) unstable; urgency=low * checkbashisms: Only flag "local x y" and "local foo=bar" when --posix is diff -Nru devscripts-2.10.35/scripts/debsign.sh devscripts-2.10.35/scripts/debsign.sh --- devscripts-2.10.35/scripts/debsign.sh 2008-06-26 19:16:27.000000000 +0100 +++ devscripts-2.10.35/scripts/debsign.sh 2008-12-12 18:26:10.000000000 +0000 @@ -87,7 +87,7 @@ local filename if ! [ -w "$(dirname "$1")" ]; then - filename=`mktemp -t "$(basename "$1").XXXXXXXXXX.$2"` || { + filename=`mktemp -t "$(basename "$1").$2.XXXXXXXXXX"` || { echo "$PROGNAME: Unable to create temporary file; aborting" >&2 exit 1 }
