Debian Bug report logs - #155676
[patch] dynamic sha1sums generation

version graph

Package: dpkg; Maintainer for dpkg is Dpkg Developers <debian-dpkg@lists.debian.org>; Source for dpkg is src:dpkg.

Reported by: Colin Walters <walters@debian.org>

Date: Tue, 6 Aug 2002 17:48:11 UTC

Severity: wishlist

Merged with 155799

Found in version 1.10.4

Fixed in version dpkg/1.16.3

Done: Guillem Jover <guillem@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org:
Bug#155676; Package dpkg. Full text and rfc822 format available.

Acknowledgement sent to Colin Walters <walters@debian.org>:
New Bug report received and forwarded. Copy sent to Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Colin Walters <walters@debian.org>
To: submit@bugs.debian.org
Subject: [patch] dynamic sha1sums generation
Date: 06 Aug 2002 01:04:23 -0400
[Message part 1 (text/plain, inline)]
Package: dpkg
Tags: patch

Hello, the following patch against the dpkg CVS allows for dynamic SHA1
sums generation at install time, and adds a new command
--verify-sha1sums to verify them.

You'll also need the attached two files (sha.c and sha.h), which I stole
from the GNU textutils source.

I chose SHA1 over using MD5 because I've heard word going around that
while MD5 isn't insecure, it is less secure than previously thought. 
Specifically that if you can control the size of the file as well, it's
easier to find a matching MD5 sum.  Plus, using
/var/lib/dpkg/info/foo.sha1sums avoids a naming conflict with the
foo.md5sums file.

[sha1sums.diff (text/x-patch, attachment)]
[sha.c (text/x-c, attachment)]
[sha.h (text/x-c-header, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org:
Bug#155676; Package dpkg. Full text and rfc822 format available.

Acknowledgement sent to Colin Walters <walters@debian.org>:
Extra info received and forwarded to list. Copy sent to Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org. Full text and rfc822 format available.

Message #10 received at 155676@bugs.debian.org (full text, mbox):

From: Colin Walters <walters@debian.org>
To: 155676@bugs.debian.org
Subject: Re: Bug#155676: [patch] dynamic sha1sums generation
Date: 06 Aug 2002 14:30:03 -0400
On Tue, 2002-08-06 at 01:04, Colin Walters wrote:

> You'll also need the attached two files (sha.c and sha.h), which I stole
> from the GNU textutils source.

I should also probably mention that one of the reasons the patch is so
big is because I had to replcae the lib/md5.{c,h} with the
implementations from the GNU textutils in order to make sha work (sha.h
#includes md5.h to pick up some portability definitions).




Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org:
Bug#155676; Package dpkg. Full text and rfc822 format available.

Acknowledgement sent to Anthony Towns <aj@azure.humbug.org.au>:
Extra info received and forwarded to list. Copy sent to Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org. Full text and rfc822 format available.

Message #15 received at 155676@bugs.debian.org (full text, mbox):

From: Anthony Towns <aj@azure.humbug.org.au>
To: Colin Walters <walters@debian.org>, 155676@bugs.debian.org
Subject: Re: Bug#155676: [patch] dynamic sha1sums generation
Date: Wed, 7 Aug 2002 16:42:36 +1000
On Tue, Aug 06, 2002 at 01:04:23AM -0400, Colin Walters wrote:
> I chose SHA1 over using MD5 because I've heard word going around that
> while MD5 isn't insecure, it is less secure than previously thought. 
> Specifically that if you can control the size of the file as well, it's
> easier to find a matching MD5 sum.  

AIUI, that's usually avoided by listing the file size as well as the
md5sum. At the very least listing the expected file size gives you a
very easy check for a lot of accidental corruption.

> Plus, using
> /var/lib/dpkg/info/foo.sha1sums avoids a naming conflict with the
> foo.md5sums file.

Wouldn't it be more sensible to put it in

	/var/lib/dpkg/checksums/foo.sha1

or similar?

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

 ``If you don't do it now, you'll be one year older when you do.''



Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org:
Bug#155676; Package dpkg. Full text and rfc822 format available.

Acknowledgement sent to Colin Walters <walters@debian.org>:
Extra info received and forwarded to list. Copy sent to Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org. Full text and rfc822 format available.

Message #20 received at 155676@bugs.debian.org (full text, mbox):

From: Colin Walters <walters@debian.org>
To: 155676@bugs.debian.org
Subject: Re: Bug#155676: patch] dynamic sha1sums generation
Date: 07 Aug 2002 13:56:36 -0400
[ No need to CC me, despite what the BTS does to Reply-To ]

On Wed, 2002-08-07 at 02:42, Anthony Towns wrote:

> AIUI, that's usually avoided by listing the file size as well as the
> md5sum. At the very least listing the expected file size gives you a
> very easy check for a lot of accidental corruption.

True.  And actually any weaknesses in MD5 are rather irrelevant for this
particular case, because a hostile attacker will be able to simply
replace any of the checksum files they want.  But I think it's a good
idea to push SHA1 in general, so I used it.  It would however be pretty
trivial to modify the patch to use MD5, and to include the file size.

> Wouldn't it be more sensible to put it in
> 
> 	/var/lib/dpkg/checksums/foo.sha1

Yes it would.  Thanks.  I just did that in my local version; I'll send
in a new patch after any other changes the dpkg maintainers require are
made.




Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org:
Bug#155676; Package dpkg. Full text and rfc822 format available.

Acknowledgement sent to Colin Walters <walters@debian.org>:
Extra info received and forwarded to list. Copy sent to Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org. Full text and rfc822 format available.

Message #25 received at 155676@bugs.debian.org (full text, mbox):

From: Colin Walters <walters@debian.org>
To: Ian Turner <vectro@pipeline.com>, 155676@bugs.debian.org
Subject: Re: Bug#155799: dpkg should keep md5sum of installed files
Date: 07 Aug 2002 13:59:07 -0400
severity 155799 normal
merge 155799 155676
thanks

On Wed, 2002-08-07 at 11:47, Ian Turner wrote:
> Package: dpkg
> Version: 1.10.4
> Severity: wishlist
> 
> Functionality equivalent to RPM's -y parametre would be most useful.
> 
> RPM keeps an MD5 of all installed files, along with other metadata
> (size, permissions, etc.). This can then be compared with the actual
> installed files with rpm -y.

Heh.  See bug #155676, just submitted yesterday.





Merged 155676 155799. Request was from Colin Walters <walters@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org:
Bug#155676; Package dpkg. Full text and rfc822 format available.

Acknowledgement sent to Anthony Towns <aj@azure.humbug.org.au>:
Extra info received and forwarded to list. Copy sent to Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org. Full text and rfc822 format available.

Message #32 received at 155676@bugs.debian.org (full text, mbox):

From: Anthony Towns <aj@azure.humbug.org.au>
To: 155676@bugs.debian.org
Subject: Re: Bug#155676: patch] dynamic sha1sums generation
Date: Thu, 8 Aug 2002 17:35:35 +1000
On Wed, Aug 07, 2002 at 01:56:36PM -0400, Colin Walters wrote:
> On Wed, 2002-08-07 at 02:42, Anthony Towns wrote:
> True.  And actually any weaknesses in MD5 are rather irrelevant for this
> particular case, because a hostile attacker will be able to simply
> replace any of the checksum files they want.  

Well, unless you backup /var/lib/dpkg/checksums/ to WORM media, like
a CD ROM or paper.

I had the coolest little "hack" that'd let you verify large numbers
of md5sums by hand from paper once... (think binary-trees, and md5sums
of md5sums)

But the key part of this is to have dpkg generate the md5sums at install
time. I suppose it'd actually be handy if you could generate the md5sums
just from the .deb without having to unpack it, too.

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

 ``If you don't do it now, you'll be one year older when you do.''



Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org:
Bug#155676; Package dpkg. Full text and rfc822 format available.

Acknowledgement sent to Colin Walters <walters@verbum.org>:
Extra info received and forwarded to list. Copy sent to Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org. Full text and rfc822 format available.

Message #37 received at 155676@bugs.debian.org (full text, mbox):

From: Colin Walters <walters@verbum.org>
To: 155676@bugs.debian.org
Subject: Re: Bug#155676: patch] dynamic sha1sums generation
Date: 08 Aug 2002 13:11:12 -0400
On Thu, 2002-08-08 at 03:35, Anthony Towns wrote:

> Well, unless you backup /var/lib/dpkg/checksums/ to WORM media, like
> a CD ROM or paper.

True enough.

> But the key part of this is to have dpkg generate the md5sums at install
> time.

Right.

> I suppose it'd actually be handy if you could generate the md5sums
> just from the .deb without having to unpack it, too.

Hmm, without having to install it, you mean?  That probably would be
useful.  I'll see about adding that, but it will probably require
learning more about dpkg internals than I have so far...




Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org:
Bug#155676; Package dpkg. Full text and rfc822 format available.

Acknowledgement sent to Jason Gunthorpe <jgg@debian.org>:
Extra info received and forwarded to list. Copy sent to Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org. Full text and rfc822 format available.

Message #42 received at 155676@bugs.debian.org (full text, mbox):

From: Jason Gunthorpe <jgg@debian.org>
To: Anthony Towns <aj@azure.humbug.org.au>, 155676@bugs.debian.org
Cc: Dpkg Development <debian-dpkg@lists.debian.org>, Colin Walters <walters@debian.org>
Subject: Re: Bug#155676: patch] dynamic sha1sums generation
Date: Thu, 08 Aug 2002 11:08:48 -0600 (MDT)
On Thu, 8 Aug 2002, Anthony Towns wrote:

> But the key part of this is to have dpkg generate the md5sums at install
> time. I suppose it'd actually be handy if you could generate the md5sums
> just from the .deb without having to unpack it, too.

While someone is doing this, I think it would be nice to store a proper
filelist that has MD5, size, permissions, symlinks, major/minor and
directories.

That way it can be quite usefull for all sorts of accidents.

Jason




Severity set to `wishlist'. Request was from Thomas Hood <jdthood@yahoo.co.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org:
Bug#155676; Package dpkg. Full text and rfc822 format available.

Acknowledgement sent to Andre Luis Lopes <andrelop@ig.com.br>:
Extra info received and forwarded to list. Copy sent to Dpkg Development <debian-dpkg@lists.debian.org>, dpkg@packages.qa.debian.org. Full text and rfc822 format available.

Message #49 received at 155676@bugs.debian.org (full text, mbox):

From: Andre Luis Lopes <andrelop@ig.com.br>
To: 155676@bugs.debian.org
Subject: Status of dpkg's checksum support
Date: Sat, 29 Mar 2003 21:43:15 -0300
[Message part 1 (text/plain, inline)]
Hi dpkg team,

Could you please shed some light on how's dpkg checksum support going ?
I see that in dpkg's TOD file there's an entry like :

* store checksums and stat data in per-file flags

I think it's related to this bug and I would be glad to see it being
added to dpkg. I had a short conversation with Colin Walters on #debian
today and asked him about the status of this feature.

Colin told me that dpkg developers seemed to be interested at first but
he didn't heard back from them since then.

Any news ?

-- 
++----------------------------------------------------------------------++
||  André Luís Lopes                   andrelop@ig.com.br               ||
||  Debian-BR Project                  http://debian-br.cipsga.org.br   ||
||  Public GPG KeyID                   9D1B82F6                         ||
||  Keyserver                          wwwkeys.eu.pgp.net               ||
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Development <debian-dpkg@lists.debian.org>:
Bug#155676; Package dpkg. Full text and rfc822 format available.

Acknowledgement sent to "Mark T.B. Carroll" <Mark.Carroll@Aetion.com>:
Extra info received and forwarded to list. Copy sent to Dpkg Development <debian-dpkg@lists.debian.org>. Full text and rfc822 format available.

Message #54 received at 155676@bugs.debian.org (full text, mbox):

From: "Mark T.B. Carroll" <Mark.Carroll@Aetion.com>
To: 155676@bugs.debian.org
Subject: Re: Bug#155676: patch] dynamic sha1sums generation
Date: Wed, 11 May 2005 15:05:48 -0400 (EDT)
On Thu, 8 Aug 2002, Anthony Towns wrote:

> But the key part of this is to have dpkg generate the md5sums at install
> time.

Maybe it could even just make extra /var/lib/dpkg/info/*.md5sums files
instead of needing to maintain a separate database?

-- Mark



Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Development <debian-dpkg@lists.debian.org>:
Bug#155676; Package dpkg. Full text and rfc822 format available.

Acknowledgement sent to "Mark T.B. Carroll" <Mark.Carroll@Aetion.com>:
Extra info received and forwarded to list. Copy sent to Dpkg Development <debian-dpkg@lists.debian.org>. Full text and rfc822 format available.

Message #59 received at 155676@bugs.debian.org (full text, mbox):

From: "Mark T.B. Carroll" <Mark.Carroll@Aetion.com>
To: 155676@bugs.debian.org
Subject: Re: Bug#155676: Info received (was Bug#155676: patch] dynamic sha1sums generation)
Date: Wed, 11 May 2005 17:37:16 -0400 (EDT)
I suppose I should have added that what I'm suggesting is something like a
"debsums --generate=keep" after the package is unpacked if there isn't
already a /var/lib/dpkg/info/*.md5sums in it.

-- Mark




Blocking bugs added: 155676 and 155799 Request was from Manoj Srivastava <srivasta@golden-gryphon.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>:
Bug#155676; Package dpkg. (Mon, 08 Mar 2010 07:24:03 GMT) Full text and rfc822 format available.

Message #64 received at 155676@bugs.debian.org (full text, mbox):

From: Anthony Towns <aj@erisian.com.au>
To: debian-devel@lists.debian.org
Subject: Re: md5sums files
Date: Sun, 7 Mar 2010 05:22:22 +1000
[Message part 1 (text/plain, inline)]
(I'm not subscribed to this list, so go ahead and Cc me)

On Thu, Mar 4, 2010 at 02:05, Peter Samuelson <peter@p12n.org> wrote:
> [Wouter Verhelst]
> > I must say I was somewhat surprised by these numbers. Out of 2483
> > packages installed on my laptop, 2340 install md5sums.
> The surprising part, perhaps, is that dpkg itself didn't just generate
> the other 143 md5sums files at installation time.

The easy (and usually correct) reason for things like that is "dpkg's
source is scary".

> I suggested this a long time ago and of course was met with "so where's
> your patch?"  Of course I was not willing to do the work.

See? Anyway, my patch is attached. It makes dpkg create a "foo.hashes"
when unpacking foo, whose contents looks like:

MD5:32b5e22f8e336b2f34e0dd87652e6dfc  usr/share/doc/mawk/changelog.gz
MD5:87a34f1f55ac3f7fec2c7fc82565e8eb  usr/share/doc/mawk/changelog.Debian.gz
...

Verification is a matter of something like:

$ cat /var/lib/dpkg/info/*.hashes | sed -n 's/^MD5://p' | (cd /;
md5sum -c) | grep -v ': OK$'

There's an option (--hash) that you can set to "none" to avoid
spending time calculating md5s if you so choose. Adding support for
sha1/sha256/whatever should be straightforward; afaik dpkg only has
code for md5 already built in though (though just invoking
/usr/bin/sha1sum etc would be an option of course).

Of course another option is just to pull the md5sums directly from the deb:

$ ar p /var/cache/apt/archives/ifupdown_0.6.9_i386.deb data.tar.gz |
    tar --to-command='printf "%s%s\n" "$(md5sum - | sed s/-$//)"
"${TAR_FILENAME#./}"'  -xzf - |
    diff - /var/lib/dpkg/info/ifupdown.md5sums
1,3d0
< 346208729633adf45e2fa3f2bd3b19c6  etc/init.d/ifupdown
< c6fffaae03271f1641920105ce68796b  etc/init.d/ifupdown-clean
< fab851ca87c5deb9d6f665e610184648  etc/default/ifupdown
4a2
> a0f11cf1809a468c49b72e0aa0a8e26b  sbin/ifup

(md5sums doesn't normally list conffiles, but does list hardlinks; the
above command does the opposite)

> But
> fundamentally, shipping a md5sums file is really just a tradeoff in
> download size vs. installation speed, not unlike gzip vs. bzip2.

Advantages of doing in when unpacking:
 - choice of checksum is the admin's decision
 - we can quickly roll out support for sha1/sha256/crc/... checksums
by just changing one package
 - admin has hashes of exactly what was unpacked, no matter the source
 - no concerns about bugs in dh_md5sums or similar resulting in bad checksums

Advantages of doing it when uploading:
 - provides some sort of double check of what's being uploaded
 - saves CPU time on users' machines

For me, I'd rather have dpkg generate the hashes.

Cheers,
aj

--
Anthony Towns <aj@erisian.com.au>
[hashes.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>:
Bug#155676; Package dpkg. (Mon, 08 Mar 2010 07:24:05 GMT) Full text and rfc822 format available.

Message #67 received at 155676@bugs.debian.org (full text, mbox):

From: Anthony Towns <aj@erisian.com.au>
To: Goswin von Brederlow <goswin-v-b@web.de>
Cc: debian-devel@lists.debian.org
Subject: Re: md5sums files
Date: Sun, 7 Mar 2010 16:24:07 +1000
[Message part 1 (text/plain, inline)]
On Sun, Mar 7, 2010 at 10:28, Goswin von Brederlow <goswin-v-b@web.de> wrote:
> Anthony Towns <aj@erisian.com.au> writes:
>> Advantages of doing it when uploading:
>>  - provides some sort of double check of what's being uploaded
>>  - saves CPU time on users' machines
>   - avoids having bad checksums due to the user having bad hardware
>     (which is one big use case of the files)

"Big"? It only makes a difference if:
  a) the corruption happens as soon as it's written, not after some time
  b) the file is too big/the system is too loaded to keep the file in
the page cache
  c) the system memory is corrupted just enough to screw the file but
not everything else

Compared to random "make install" invocations changing files in the
system and similar, that doesn't strike me as a big use case.

In any event, it's fairly easy to generate the checksum in the same
pass as generating the file, see the attached patch. (It's not as easy
to generalise to other hashes as the previous one, unfortunately)

If you're still worried, perhaps about having read() return bogus data
from the .deb that happens to still be valid when passed through
ungzip and untar and after you've already verified the entire file by
md5/sha1/sha256 when downloading, you're getting to the point of
trying to safely install on an actively malicious system, and
nothing's going to make that work.

Cheers,
aj

-- 
Anthony Towns <aj@erisian.com.au>
[hashes2.patch (text/x-patch, attachment)]

Removed tag(s) patch. Request was from Raphaël Hertzog <hertzog@debian.org> to control@bugs.debian.org. (Thu, 06 May 2010 13:33:15 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Guillem Jover <guillem@debian.org> to control@bugs.debian.org. (Fri, 27 Apr 2012 08:33:22 GMT) Full text and rfc822 format available.

Message sent on to Colin Walters <walters@debian.org>:
Bug#155676. (Fri, 27 Apr 2012 08:33:27 GMT) Full text and rfc822 format available.

Message #74 received at 155676-submitter@bugs.debian.org (full text, mbox):

From: Guillem Jover <guillem@debian.org>
To: 155676-submitter@bugs.debian.org
Subject: Bug#155676 marked as pending
Date: Fri, 27 Apr 2012 08:31:56 +0000
tag 155676 pending
thanks

Hello,

Bug #155676 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=dpkg/dpkg.git;a=commitdiff;h=0e8bcc3

---
commit 0e8bcc32c9f037a2ca60a10211a65e3b8cca6018
Author: Guillem Jover <guillem@debian.org>
Date:   Thu Mar 22 21:31:55 2012 +0100

    dpkg: Generate md5sums info files if none were present in the binary package
    
    This is the first step in allowing to verify installed package files
    consistency. Next step will be to track file metadata and then add
    options to verify the requested packages.
    
    Closes: #155676, #155799

diff --git a/debian/changelog b/debian/changelog
index 3016750..d3f3626 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -40,6 +40,8 @@ dpkg (1.16.3) UNRELEASED; urgency=low
   * Compute the md5sum hash on unpack for empty files too, so that these
     can be checked correctly for matching content when installing multiple
     package instances.
+  * Generate md5sums files automatically at unpack time if missing from the
+    binary package. Closes: #155676, #155799
 
   [ Helge Kreutzmann ]
   * Fix a typo in man/dpkg-buildflags.1.




Reply sent to Guillem Jover <guillem@debian.org>:
You have taken responsibility. (Fri, 27 Apr 2012 08:51:32 GMT) Full text and rfc822 format available.

Notification sent to Colin Walters <walters@debian.org>:
Bug acknowledged by developer. (Fri, 27 Apr 2012 08:51:35 GMT) Full text and rfc822 format available.

Message #79 received at 155676-close@bugs.debian.org (full text, mbox):

From: Guillem Jover <guillem@debian.org>
To: 155676-close@bugs.debian.org
Subject: Bug#155676: fixed in dpkg 1.16.3
Date: Fri, 27 Apr 2012 08:47:46 +0000
Source: dpkg
Source-Version: 1.16.3

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive:

dpkg-dev_1.16.3_all.deb
  to main/d/dpkg/dpkg-dev_1.16.3_all.deb
dpkg_1.16.3.dsc
  to main/d/dpkg/dpkg_1.16.3.dsc
dpkg_1.16.3.tar.bz2
  to main/d/dpkg/dpkg_1.16.3.tar.bz2
dpkg_1.16.3_amd64.deb
  to main/d/dpkg/dpkg_1.16.3_amd64.deb
dselect_1.16.3_amd64.deb
  to main/d/dpkg/dselect_1.16.3_amd64.deb
libdpkg-dev_1.16.3_amd64.deb
  to main/d/dpkg/libdpkg-dev_1.16.3_amd64.deb
libdpkg-perl_1.16.3_all.deb
  to main/d/dpkg/libdpkg-perl_1.16.3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 155676@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 27 Apr 2012 10:10:10 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.16.3
Distribution: unstable
Urgency: low
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description: 
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Closes: 21722 155676 155799 552517 588077 664964 665050 666752 667037 669012 669047 670048
Changes: 
 dpkg (1.16.3) unstable; urgency=low
 .
   [ Guillem Jover ]
   * Do not look for newline beyond the read buffer on dpkg-deb extract.
   * Check update-alternative name and link arguments for all commands.
     Closes: #665050
   * Check all dpkg-divert filename arguments to be absolute and to not
     contain newlines. Closes: #21722
   * Print errors while reading the file list files on a new line instead
     of just after the progress percentage. Closes: #552517
   * Document in dpkg-source(1) that patches for source format “3.0 (quilt)”
     are expected to apply without any fuzz. Closes: #666752
     Based on a patch by Luca Capello <luca@pca.it>.
   * Remove redundant -Wformat-security from default dpkg-buildflags, which
     is already implied by -Werror=format-security. Closes: #664964
     Suggested by Peter Eisentraut <petere@debian.org>.
   * Document in dpkg-query(1) that commands producing multiple paragraphs
     will preserve the order of the packages specified on the argument list.
   * Change start-stop-daemon --exec on GNU/Hurd, FreeBSD, NetBSD, OpenBSD
     and Solaris to check for executables matching device and inode numbers
     instead of filenames.
   * Change start-stop-daemon --name on GNU/Hurd to check the process' argv[1]
     in addition to argv[0], to handle both binaries and interpreted scripts.
     Reported by Mats Erik Andersson <mats.andersson@gisladisker.se>.
   * Handle deb format versions as major.minor integers instead of strings or
     floats, the latter being susceptible to parsing errors depending on the
     current locale (although this was only affecting the old deb format).
   * Ignore the minor format version number for deb-split format, unifying
     the behaviour with the deb format.
   * Add support for an abitable containing arch attribute overrides.
   * Add x32 support to abitable, ostable and triplettable. Closes: #667037
   * Fix start-stop-daemon to work with relative --exec arguments and --chdir.
     Closes: #669047
   * Ignore request to rename a file owned by the diverting package on
     «dpkg-divert --add --rename». Closes: #588077
   * Clarify dpkg-gensymbols(1) by way of examples that architecture wildcards
     are supported in symbols files. Closes: #670048
   * Fix memory leak due to Dpkg::Control objects not being garbage-collected.
     Thanks to Ben Harris <bjh21@cam.ac.uk>. Closes: #669012
   * Compute the md5sum hash on unpack for empty files too, so that these
     can be checked correctly for matching content when installing multiple
     package instances.
   * Generate md5sums files automatically at unpack time if missing from the
     binary package. Closes: #155676, #155799
   * Add missing list and md5sums database file checks to «dpkg --audit».
 .
   [ Helge Kreutzmann ]
   * Fix a typo in man/dpkg-buildflags.1.
 .
   [ Updated dpkg translations ]
   * French (Christian Perrier).
   * German (Sven Joachim).
   * Swedish (Peter Krefting).
 .
   [ Updated dselect translations ]
   * French (Christian Perrier).
   * German (Sven Joachim).
   * Swedish (Peter Krefting).
 .
   [ Updated scripts translations ]
   * French (Christian Perrier).
   * Swedish (Peter Krefting).
 .
   [ Updated scripts translations ]
   * French (Christian Perrier).
   * German (Helge Kreutzmann).
   * Swedish (Peter Krefting).
Checksums-Sha1: 
 bb4963fae9946db782220765afbd3743d1896383 1362 dpkg_1.16.3.dsc
 b82a62c1b5e85adcc947f28a264ef7b7ee8580ca 5599915 dpkg_1.16.3.tar.bz2
 29a3fc00855cd8a0365acb11d473b7bf82bed6d5 640096 libdpkg-dev_1.16.3_amd64.deb
 153ac818bcd482b1d42e8823ed4f9334dd40db20 2354904 dpkg_1.16.3_amd64.deb
 4cf4bb413809e3981900ef03a664891bc180b397 1079334 dselect_1.16.3_amd64.deb
 e2d9f21746f0ba2f803fff16f215eb65b56a6792 1184282 dpkg-dev_1.16.3_all.deb
 475bfac569ad4865bf5c9a134b6d55c3e63a85b7 881242 libdpkg-perl_1.16.3_all.deb
Checksums-Sha256: 
 d49eb619ebe10cfdf0ab13ab59a627518ae57e1b3d793ab05f23f105060a44f6 1362 dpkg_1.16.3.dsc
 8048890ca92a3ca317a4fdd557f8e9b2b3ce560743e8e70813496f9a7096d8d8 5599915 dpkg_1.16.3.tar.bz2
 83571879e30c5ee19f17038adb2b3d88604ddeec0d0bd60623c6a4e303782fa3 640096 libdpkg-dev_1.16.3_amd64.deb
 ccfa31ca47729ed42f79367cfa9e6ae3dc5b76616e1708d190c52a1b0f768b26 2354904 dpkg_1.16.3_amd64.deb
 c86ceea341dca6704dc5b4fe63fc9c262751a9fa654d73930acc691c25dec379 1079334 dselect_1.16.3_amd64.deb
 352173d2e19d4b40c0e596e01a5bc41e4f24e8c2514020e73adc38bba9ef7bb0 1184282 dpkg-dev_1.16.3_all.deb
 a25a757012281ce83dde6a727cf1587f18a670c63186964c3192ffc617b94f50 881242 libdpkg-perl_1.16.3_all.deb
Files: 
 c48022e8aacde7046c5b8b9163fea8cb 1362 admin required dpkg_1.16.3.dsc
 20189e2926ada3dda4f77ef2e36999af 5599915 admin required dpkg_1.16.3.tar.bz2
 525113c10668ca1edeccf81f63300562 640096 libdevel optional libdpkg-dev_1.16.3_amd64.deb
 a7096c5f626d1fa1d5cc5b3d0e94f9c7 2354904 admin required dpkg_1.16.3_amd64.deb
 c276e506628a9c218a8fc25343fef1f7 1079334 admin optional dselect_1.16.3_amd64.deb
 e269f80cd82dc477cfeae69edfa07129 1184282 utils optional dpkg-dev_1.16.3_all.deb
 4251ef6c75be3087e2202f4803d4df7a 881242 perl optional libdpkg-perl_1.16.3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk+aV7YACgkQuW9ciZ2SjJu8OwCfTAK3+/za0kD9SwhYkxrsVwwF
0YQAoKt6GKTLul6ylFX21YTBbfegF/Xw
=cztM
-----END PGP SIGNATURE-----





Reply sent to Guillem Jover <guillem@debian.org>:
You have taken responsibility. (Fri, 27 Apr 2012 08:51:39 GMT) Full text and rfc822 format available.

Notification sent to Ian Turner <vectro@pipeline.com>:
Bug acknowledged by developer. (Fri, 27 Apr 2012 08:51:39 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 05 Jun 2012 07:46:22 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 16:13:37 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.