Debian Bug report logs - #707820
pristine-tar: Fails with "paranoia check failed on params from delta (-z -6) at /usr/bin/pristine-xz line 195" on fonts-android package git repository

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pristine-tar: Fails with "paranoia check failed on params from delta (-z -6) at /usr/bin/pristine-xz line 195" on fonts-android package git repository

Date: Sat, 11 May 2013 15:41:35 +0200

Package: pristine-tar
Version: 1.25
Severity: normal

Hello Joey,

/me and my fellow co-maintainers of font packages are happily
switching to git for our packages maintenance.

As of now, things went well, but I ran today on a problem I can't
solve alone with the fonts-android git repository.

The repo is :
gbp-clone git+ssh://git.debian.org/git/pkg-fonts/fonts-android.git

Running "git-buildpackage --git-pristine-tar" there fails with:
dh clean
dh_testdir
dh_auto_clean
dh_clean
paranoia check failed on params from delta (-z -6) at /usr/bin/pristine-xz line 195.
pristine-tar: command failed: pristine-xz --no-verbose --no-debug --no-keep genxz /tmp/pristine-tar.fSCIGUDGxo/wrapper /tmp/pristine-tar.Q9SQAWvPld/fonts-android_4.2.r1.orig.tar.xz.tmp
pristine-tar: failed to generate tarball
gbp:error: Couldn't checkout "fonts-android_4.2.r1.orig.tar.xz": /usr/bin/pristine-tar returned 255

Manually running pristine-tar gives the same result:
bubulle@sesostris:~/src/debian/pkg-fonts/git/fonts-android(master) $ pristine-tar checkout ../fonts-android_4.2.r1.orig.tar.xz
paranoia check failed on params from delta (-z -6) at /usr/bin/pristine-xz line 195.
pristine-tar: command failed: pristine-xz --no-verbose --no-debug --no-keep genxz /tmp/pristine-tar.vQaW96SfM9/wrapper /tmp/pristine-tar.eUl5Ardku2/fonts-android_4.2.r1.orig.tar.xz.tmp
pristine-tar: failed to generate tarball


My build machine is still running wheezy and therefore has
pristine-tar version 1.25

My fellow co-maintainers do not have this problem with a sid machine
(and pristine-tar 1.28).

Is that a known problem?



-- System Information:
Debian Release: jessie/sid
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages pristine-tar depends on:
ii  libbz2-1.0    1.0.6-4
ii  libc6         2.17-1
ii  perl-modules  5.14.2-21
ii  xdelta        1.1.3-9
ii  zlib1g        1:1.2.8.dfsg-1

Versions of packages pristine-tar recommends:
ii  bzip2     1.0.6-4
ii  pbzip2    1.1.8-1
ii  xz-utils  5.1.1alpha+20120614-2

pristine-tar suggests no packages.

-- no debconf information

Message #10 received at 707820@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: Christian Perrier <bubulle@debian.org>, 707820@bugs.debian.org

Subject: Re: Bug#707820: pristine-tar: Fails with "paranoia check failed on params from delta (-z -6) at /usr/bin/pristine-xz line 195" on fonts-android package git repository

Date: Sat, 11 May 2013 11:21:31 -0400

[Message part 1 (text/plain, inline)]

Christian Perrier wrote:
> My build machine is still running wheezy and therefore has
> pristine-tar version 1.25
> 
> My fellow co-maintainers do not have this problem with a sid machine
> (and pristine-tar 1.28).
> 
> Is that a known problem?

pristine-tar only allows whitelisted command parameters in its delta
files. This is to prevent a bad actor publishing a git repository that
unexpectedly emails them your gpg private key or something[1].

This means that as new features of compression programs get supported in
pristine-tar, it has to whitelist them, and older versions will then not
be able to check out those tarballs. Of course, other bug fixes in
pristine-tar can also cause the same effect.

The only solution I can see is for someone to backport pristine-tar for
wheezy, if they need to use it for development with others who are using
the newer version.

The actual bug here, which I've fixed in git, is that the error message
is wrong! The param it is actually rejecting is --check=crc64

-- 
see shy jo

[1] assuming gzip or xz one day conform to the maxim that all programs
    grow to the point that they can send email

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 707820@bugs.debian.org (full text, mbox, reply):

From: Christian PERRIER <bubulle@debian.org>

To: 707820@bugs.debian.org

Subject: Re: Bug#707820: pristine-tar: Fails with "paranoia check failed on params from delta (-z -6) at /usr/bin/pristine-xz line 195" on fonts-android package git repository

Date: Sat, 11 May 2013 18:33:28 +0200

[Message part 1 (text/plain, inline)]

Quoting Joey Hess (joeyh@debian.org):

> The only solution I can see is for someone to backport pristine-tar for
> wheezy, if they need to use it for development with others who are using
> the newer version.
> 
> The actual bug here, which I've fixed in git, is that the error message
> is wrong! The param it is actually rejecting is --check=crc64

OK, that makes sense. Thanks for your fast and precise answer, Joey
(but I wasn't expecting less..:-))

As a consequence, this is not exactly a bug but more a feature.

It's not anyway really a blocker for me as my build box will soon be
updated to jessie.

I suggest marking the bug as fixed in version 1.2x (x>5 and x<=8) and
maybe keep it opened as referene for people who'll be falling in the
same trap in the future?

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 707820@bugs.debian.org (full text, mbox, reply):

From: Ivo De Decker <ivo.dedecker@ugent.be>

To: Joey Hess <joeyh@debian.org>

Cc: Christian Perrier <bubulle@debian.org>, 707820@bugs.debian.org

Subject: Re: Bug#707820: pristine-tar: Fails with "paranoia check failed on params from delta (-z -6) at /usr/bin/pristine-xz line 195" on fonts-android package git repository

Date: Thu, 30 May 2013 22:43:01 +0200

Control: fixed -1 1.28
Control: severity -1 important

Hi Joey,

On Sat, May 11, 2013 at 11:21:31AM -0400, Joey Hess wrote:
> > My fellow co-maintainers do not have this problem with a sid machine
> > (and pristine-tar 1.28).
> > 
> > Is that a known problem?
> 
> pristine-tar only allows whitelisted command parameters in its delta
> files. This is to prevent a bad actor publishing a git repository that
> unexpectedly emails them your gpg private key or something[1].
> 
> This means that as new features of compression programs get supported in
> pristine-tar, it has to whitelist them, and older versions will then not
> be able to check out those tarballs. Of course, other bug fixes in
> pristine-tar can also cause the same effect.
> 
> The only solution I can see is for someone to backport pristine-tar for
> wheezy, if they need to use it for development with others who are using
> the newer version.

Would you consider doing a stable update for this (just adding the whitelist).

Or would it be OK with you if I did one (after approval from the release
team)?

> The actual bug here, which I've fixed in git, is that the error message
> is wrong! The param it is actually rejecting is --check=crc64

Cheers,

Ivo

Message #29 received at 707820@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: Ivo De Decker <ivo.dedecker@ugent.be>

Cc: Christian Perrier <bubulle@debian.org>, 707820@bugs.debian.org

Subject: Re: Bug#707820: pristine-tar: Fails with "paranoia check failed on params from delta (-z -6) at /usr/bin/pristine-xz line 195" on fonts-android package git repository

Date: Fri, 31 May 2013 17:29:29 -0400

[Message part 1 (text/plain, inline)]

Ivo De Decker wrote:
> Would you consider doing a stable update for this (just adding the whitelist).

I don't have time or really motivation to do this myself.

> Or would it be OK with you if I did one (after approval from the release
> team)?

Sure.

-- 
see shy jo

[signature.asc (application/pgp-signature, inline)]

Message #34 received at 707820-close@bugs.debian.org (full text, mbox, reply):

From: Ivo De Decker <ivo.dedecker@ugent.be>

To: 707820-close@bugs.debian.org

Subject: Bug#707820: fixed in pristine-tar 1.25+deb7u1

Date: Sun, 02 Jun 2013 11:02:04 +0000

Source: pristine-tar
Source-Version: 1.25+deb7u1

We believe that the bug you reported is fixed in the latest version of
pristine-tar, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 707820@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ivo De Decker <ivo.dedecker@ugent.be> (supplier of updated pristine-tar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 01 Jun 2013 12:22:22 +0200
Source: pristine-tar
Binary: pristine-tar
Architecture: source amd64
Version: 1.25+deb7u1
Distribution: wheezy
Urgency: low
Maintainer: Joey Hess <joeyh@debian.org>
Changed-By: Ivo De Decker <ivo.dedecker@ugent.be>
Description: 
 pristine-tar - regenerate pristine tarballs
Closes: 707820
Changes: 
 pristine-tar (1.25+deb7u1) wheezy; urgency=low
 .
   * Non-maintainer upload with maintainer approval.
   * pristine-xz: Update list of allowed parameters for wheezy to support files
     created with newer versions (in jessie and sid). Closes: #707820
Checksums-Sha1: 
 12cecbeee36ffcec51f7c57a25b7e1e49293d49e 1625 pristine-tar_1.25+deb7u1.dsc
 108ef4246983801cdaa0750b0b4e9b386a793e32 138874 pristine-tar_1.25+deb7u1.tar.gz
 b0e58da62ad4ac756cbbfa2c828934e093c95028 204080 pristine-tar_1.25+deb7u1_amd64.deb
Checksums-Sha256: 
 ebf0411889adb29aac7d216f2252065d65fe98a4c4dbd08cad03a5668555ddd6 1625 pristine-tar_1.25+deb7u1.dsc
 a2e84678897991f205e0d01a67672fb9bdacee0b36545e4b143ea401168289ce 138874 pristine-tar_1.25+deb7u1.tar.gz
 934ae893afecfbafa0ceff53f4fd7c4fe57c6fbbce74664e900451356f638bc3 204080 pristine-tar_1.25+deb7u1_amd64.deb
Files: 
 9df76c362ae2dbf9d31af20f55c2d16e 1625 utils optional pristine-tar_1.25+deb7u1.dsc
 712679870aa08c2020696d1133fe496d 138874 utils optional pristine-tar_1.25+deb7u1.tar.gz
 488c1a055db6a87bfcb8e7f6e95ea2a2 204080 utils optional pristine-tar_1.25+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJRqkA8AAoJEKxAu1iXBOr8QBoQAJBxz4cYoulGLGI2hWQzcztx
vD0gFubeNXqH3LcV78sZL4orO1Io3PB9b2E5Edm1yh/9AwfDULWHtXWfZM9M0Q+w
7poZi4Sl122GBDz8Tzv8Vv7ZMxbWNjDjUuO2Vnk96Dey90VjXmH2rXyov4fUIalD
yTc0FfzuFolMiK9dDXF1TxJ2J+GT10tgiQrg2KC/+ZSVuCaf8qW/inzWgkD2J6oo
BhxvgE2/+gVg3mE26LfkGhMVp8I4k5mM8m+BP+mpqB24PnWQzTa7bqQ/Zz+WtUMd
+XUFTYTcpUqBfBEwLBJCH7RiBijin7UtyAavv6BmdLBSFq1hpBMNXFvw6ZYYxDE9
Hjz3hA4qiOEzDXYwT+foXKjwQ43+Wi7WwxUid8hm8gLCkLnFTqvxtUvWXulFgr3e
VFGR+dY+Wn6aYAt89GmSLe1+yUs7MSBo9V0S6KQQjrGFYNrk53lPrHP4Neu+DIlt
dq00vC4GDyD2WUeplBvOVGXwygKBrc2CcCRSFc4K8ZAjJNJ4JXhF9OGd4nQrdpPD
g/CEoluX9AXMNOYG/EtQgZii47tvqL7nayAF/JgeBscwpF7GIjlX8BTxrTwgmzZc
cS0/i8c1xa6Yk8bMm9cf+HTyms9xEgOnko2zEywzVKnmEXdGhuaP+nqaUsqqqFF4
CX3Y9w1ymHA/WnCzNmG3
=gp9X
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.