Debian Bug report logs - #823428
dpkg: many packages affected by dpkg-source: error: source package uses only weak checksums

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@debian.org>

To: submit@bugs.debian.org

Subject: dpkg: many packages affected by dpkg-source: error: source package uses only weak checksums

Date: Wed, 4 May 2016 19:28:40 +0300

Package: dpkg
Severity: serious
Version: 1.18.5
X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

There are a number of packages in sid can't currently be unpacked with
the default dpkg-source options.

 dpkg-source: error: source package uses only weak checksums

This happens since dpkg 1.18.5, apparently

 https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?id=040973c7a1e50b78ef042ef5ffbfff0440c24700

  Error out on source packages without any strong digests in
  Dpkg::Source::Package, used by dpkg-source --extract, which can still
  be disabled with --no-check.

With about 2.5% of the archive test built on tests.reproducible-builds.org with a newer
dpkg, we've caught at least

apparix
apwal
asterisk-prompt-se
bbpager
bbtime
brag
btyacc
libclass-pluggable-perl
libcrypt-des-ede3-perl
libdatetime-format-db2-perl
libdbd-excel-perl
sgml-spell-checker

which would give a linear estimate of roughly 400 broken packages
in total.

A mass bug filing (at RC level) seems to be in order, but maybe dpkg
should just warn for a while until packages get fixed? I assume the
Debian buildds don't use --no-check, so binNMUs of affected packages
are probably broken at the moment?

Tentatively setting at 'serious' but feel free to adjust/close if this
is all going as designed.
-- 
Niko Tyni   ntyni@debian.org

Message #10 received at 823428@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: Niko Tyni <ntyni@debian.org>, 823428@bugs.debian.org

Subject: Re: Bug#823428: dpkg: many packages affected by dpkg-source: error: source package uses only weak checksums

Date: Wed, 4 May 2016 20:13:56 +0200

Hi!

First off, with the reproducible and rebootstrap efforst rebuilding
stuff with latest dpkg, it's really fast to catch regressions, that's
very helpful, thanks! And second, also thanks for tracking this down. :)

On Wed, 2016-05-04 at 19:28:40 +0300, Niko Tyni wrote:
> Package: dpkg
> Severity: serious
> Version: 1.18.5
> X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

> There are a number of packages in sid can't currently be unpacked with
> the default dpkg-source options.
> 
>  dpkg-source: error: source package uses only weak checksums

> This happens since dpkg 1.18.5, apparently
> 
>  https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?id=040973c7a1e50b78ef042ef5ffbfff0440c24700
> 
>   Error out on source packages without any strong digests in
>   Dpkg::Source::Package, used by dpkg-source --extract, which can still
>   be disabled with --no-check.
> 
> With about 2.5% of the archive test built on tests.reproducible-builds.org with a newer
> dpkg, we've caught at least

[…]

> which would give a linear estimate of roughly 400 broken packages
> in total.
> 
> A mass bug filing (at RC level) seems to be in order, but maybe dpkg
> should just warn for a while until packages get fixed? I assume the
> Debian buildds don't use --no-check, so binNMUs of affected packages
> are probably broken at the moment?
> 
> Tentatively setting at 'serious' but feel free to adjust/close if this
> is all going as designed.

No, serious is right, this was over eagerness from my part. The
signature checks are non-fatal, and not being able to verify the sigs
is way worse security wise than having weak checksums (and that's
common for revoked/expired/retired keys), so this needs to be a warning
ineed. I'm fixing this for 1.18.7.

Thanks,
Guillem

Message #15 received at 823428@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@debian.org>

To: Guillem Jover <guillem@debian.org>

Cc: 823428@bugs.debian.org

Subject: Re: Bug#823428: dpkg: many packages affected by dpkg-source: error: source package uses only weak checksums

Date: Wed, 4 May 2016 22:13:35 +0300

On Wed, May 04, 2016 at 08:13:56PM +0200, Guillem Jover wrote:
 
> First off, with the reproducible and rebootstrap efforst rebuilding
> stuff with latest dpkg, it's really fast to catch regressions, that's
> very helpful, thanks! And second, also thanks for tracking this down. :)

Thanks for the kind words :)

> No, serious is right, this was over eagerness from my part. The
> signature checks are non-fatal, and not being able to verify the sigs
> is way worse security wise than having weak checksums (and that's
> common for revoked/expired/retired keys), so this needs to be a warning
> ineed. I'm fixing this for 1.18.7.

Cool, thanks again.

Do you think a lintian check for weak checksums would be worthwhile?
I can't see an existing one but I suppose that shouldn't be too hard
to implement.

It could also serve as a basis for a mass bug filing if that turns
out to be desirable.
-- 
Niko

Message #20 received at 823428@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: Niko Tyni <ntyni@debian.org>, 823428@bugs.debian.org

Subject: Re: Bug#823428: dpkg: many packages affected by dpkg-source: error: source package uses only weak checksums

Date: Mon, 9 May 2016 03:42:33 +0200

Hi!

On Wed, 2016-05-04 at 22:13:35 +0300, Niko Tyni wrote:
> Do you think a lintian check for weak checksums would be worthwhile?
> I can't see an existing one but I suppose that shouldn't be too hard
> to implement.

Yeah, I think that would be nice. Most of those packages have not been
built in a long time, so they will trigger at least ancient
Standards-Version checks too.

> It could also serve as a basis for a mass bug filing if that turns
> out to be desirable.

Right.

Thanks,
Guillem

Message #23 received at 823428-submitter@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 823428-submitter@bugs.debian.org

Subject: Bug#823428 in package dpkg marked as pending

Date: Mon, 09 May 2016 03:08:47 +0000

Control: tag 823428 pending

Hi!

Bug #823428 in package dpkg reported by you has been fixed in
the dpkg/dpkg.git Git repository. You can see the changelog below, and
you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/dpkg/dpkg.git/diff/?id=a558a21

---
commit a558a21ae7f04751f7f5dfe724cd9d5f95905734
Author: Guillem Jover <guillem@debian.org>
Date:   Thu May 5 20:13:56 2016 +0200

    dpkg-source: Add new --require-strong-checksums option and change default
    
    Erroring out when no strong checksums are present is very harsh, as we
    do not even do something similar for invalid/unknown/expired signatures
    which means doing this for checksums has really no point.
    
    Add a new command-line option to force the behavior to be strict, and
    change to a warning.
    
    Regression introduced in commit 040973c7a1e50b78ef042ef5ffbfff0440c24700.
    
    Closes: #823428
    Reported-by: Niko Tyni <ntyni@debian.org>

diff --git a/debian/changelog b/debian/changelog
index e70cae6..654e40f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,15 @@
 dpkg (1.18.7) UNRELEASED; urgency=medium
 
   [ Guillem Jover ]
+  * Add new dpkg-source --require-strong-checksums option and change default.
+    There is no point in erroring out on this condition when signature issues
+    are only warnings, because we cannot guarantee we have functional keys
+    for old signatures. Regression introduced in dpkg 1.18.5. Closes: #823428
   * Perl modules:
     - Relax dependency restrictions parsing to allow again sloppy spaces
       around versions, architectures and profile restrictions.
       Regression introduced in 1.18.5. Closes: #823431
+    - Add new require_strong_checksums option to Dpkg::Source::Package.
   * Documentation:
     - Shorten example symbol names in dpkg-gensymbols to avoid a mandb
       warning due to unwrappable lines in translations.

Message #30 received at 823428-close@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 823428-close@bugs.debian.org

Subject: Bug#823428: fixed in dpkg 1.18.7

Date: Mon, 09 May 2016 04:35:58 +0000

Source: dpkg
Source-Version: 1.18.7

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 823428@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 09 May 2016 03:19:52 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source
Version: 1.18.7
Distribution: unstable
Urgency: medium
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description:
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Closes: 823428 823431 823619
Changes:
 dpkg (1.18.7) unstable; urgency=medium
 .
   [ Guillem Jover ]
   * Add new dpkg-source --require-strong-checksums option and change default.
     There is no point in erroring out on this condition when signature issues
     are only warnings, because we cannot guarantee we have functional keys
     for old signatures. Regression introduced in dpkg 1.18.5. Closes: #823428
   * Stop using several fixed sized buffers for program reporting, which in
     many cases could cause confusing truncation of long messages. Use heap
     allocated formatted strings instead:
     - In start-stop-daemon to report what to stop.
     - In dselect to print main and access methods menu entries.
     - In libdpkg command-line option parsing errors.
     - In libdpkg warning, notice and info reporting.
     - In libdpkg ohshit, ohshitv, ohshite and internerr. But in this case
       fallback to a fixed-size emergency buffer in case of allocation or
       formatting error, so that we can at least print something, even if
       truncated.
     Prompted by Manuel A. Fernandez Montecelo <mafm@debian.org>.
   * Colorize all fatal-error printing codepaths in libdpkg.
   * Architecture support:
     - Bump the GNU triplet cpu from i386 to i686 to match toolchain changes.
       Thanks to Ben Hutchings <ben@decadent.org.uk>. Closes: #823619
     - Clarify column descriptions in architecture table files.
   * Perl modules:
     - Relax dependency restrictions parsing to allow again sloppy spaces
       around versions, architectures and profile restrictions.
       Regression introduced in 1.18.5. Closes: #823431
     - Add new require_strong_checksums option to Dpkg::Source::Package.
     - Add new tests_dep option to Dpkg::Deps deps_parse() to allow the
       otherwise invalid ‘@’ character in dependencies. To be used when
       parsing the debian/tests/control file.
   * Documentation:
     - Shorten example symbol names in dpkg-gensymbols to avoid a mandb
       warning due to unwrappable lines in translations.
 .
   [ Updated scripts translations ]
   * German (Helge Kreutzmann).
 .
   [ Updated manpages translations ]
   * German (Helge Kreutzmann).
Checksums-Sha1:
 76ee921b1ae3a5c220b8bdab3b9b8b0f5708fa74 2026 dpkg_1.18.7.dsc
 dd223bc6f70f43075cc8b7a3ec4925500ff6be5e 4617284 dpkg_1.18.7.tar.xz
Checksums-Sha256:
 36e362ed6ede976a3eb14a7ab1819676ecb8052904e6eb49ca6c1210b5519929 2026 dpkg_1.18.7.dsc
 ace36d3a6dc750a42baf797f9e75ec580a21f92bb9ff96b482100755d6d9b87b 4617284 dpkg_1.18.7.tar.xz
Files:
 11f89c5e55b768ce492b51c34b4b27b9 2026 admin required dpkg_1.18.7.dsc
 073dbf2129a54b0fc627464bf8af4a1b 4617284 admin required dpkg_1.18.7.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXL/+MAAoJELlyvz6krlejN1QP/RwqmTTcwRhc5SO+b+wvUQsS
1lwqWDHvW/7sBDFRCmb8uZrniK+Nbo8D/GolXq1trfHInJifvmaPkg+rv2jDUHI4
CQnk3xFAniFdeHt7z/9NNM2kLUyYzIIpAWmH96rvmrdrW+W0sLYluQYLzvnPOeYR
gOGmWhaeLqALIRgd7fFHtJyjQIF4VsYKLImxndYE1f/+14VcgWAOZONgr95vaamG
WMzyy8UXmAr4g1Usyhdbw0IrzQqEYYVn53vgS+4+VmIKvofk8bnOuEzbQe+TxIXT
8s/BUEmH1MZr6Y59dJQfYGiL1m2yNEc1iRGIUA7JzuIE6DVqE3gIDuj94LT2bAih
xdtyOPdzTTROKEtDWrrNRgjSX2zs5esp2LtVdJ60wbzmaxepqZXlqA1QD9JlydNB
esrNxMROKNFDxT6uiYFO8yb7lLrIRGKM8Y7NfSXqAFBdKoIYMPaDuxhA9LRmBjlX
im/8cfVh6SaGQ6C6ChE4UWSWvk22+X03ncILcf6HariZQlwZitQdAKCzCmP+0vL/
VYuBUMKjkn4JDQTBOwxpgg5MWI7PTW96NYQ3homgu6raJzAIix5GhU17OJtLr4gN
5ywGCAo9HLkVj5B5Xs1mfc8hUozAYDq6FjOLAr9p1nsKm3Rt5Ql2n1t4BAaKK4Ua
+oRXuovbB2mkW1dJ01UP
=S3+1
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.