Browse Source

Consider md5sum no longer a usable hash

The md5sum hash is broken since some time and we should no longer
consider it a usable hash. Also update the tests to reflect this.
tags/debian/1.1.exp12
Michael Vogt 5 years ago
parent
commit
55ae7a5161
11 changed files with 52 additions and 39 deletions
  1. +11
    -4
      apt-pkg/contrib/hashes.cc
  2. +1
    -0
      apt-pkg/contrib/hashes.h
  3. +1
    -0
      test/integration/Packages-releasefile-verification
  4. +1
    -0
      test/integration/Packages-releasefile-verification-new
  5. +3
    -0
      test/integration/framework
  6. +8
    -8
      test/integration/test-apt-get-source
  7. +6
    -6
      test/integration/test-apt-get-source-arch
  8. +4
    -4
      test/integration/test-apt-get-source-multisources
  9. +3
    -7
      test/integration/test-apt-helper
  10. +6
    -6
      test/integration/test-bug-722207-print-uris-even-if-very-quiet
  11. +8
    -4
      test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum

+ 11
- 4
apt-pkg/contrib/hashes.cc View File

@@ -129,6 +129,13 @@ APT_PURE bool HashString::empty() const /*{{{*/
return (Type.empty() || Hash.empty());
}
/*}}}*/
APT_PURE bool HashString::usable() const /*{{{*/
{
return (
(Type != "Checksum-FileSize") &&
(Type != "MD5Sum")
);
}
std::string HashString::toStr() const /*{{{*/
{
return Type + ":" + Hash;
@@ -151,10 +158,10 @@ bool HashStringList::usable() const /*{{{*/
std::string const forcedType = _config->Find("Acquire::ForceHash", "");
if (forcedType.empty() == true)
{
// FileSize alone isn't usable
for (std::vector<HashString>::const_iterator hs = list.begin(); hs != list.end(); ++hs)
if (hs->HashType() != "Checksum-FileSize")
return true;
// See if there is at least one usable hash
for (auto const &hs: list)
if (hs.usable())
return true;
return false;
}
return find(forcedType) != NULL;


+ 1
- 0
apt-pkg/contrib/hashes.h View File

@@ -68,6 +68,7 @@ class HashString
// helper
std::string toStr() const; // convert to str as "type:hash"
bool empty() const;
bool usable() const;
bool operator==(HashString const &other) const;
bool operator!=(HashString const &other) const;



+ 1
- 0
test/integration/Packages-releasefile-verification View File

@@ -9,6 +9,7 @@ Suggests: aptitude | synaptic | wajig, dpkg-dev, apt-doc, bzip2, lzma, python-ap
Filename: apt.deb
Size: 0
MD5sum: d41d8cd98f00b204e9800998ecf8427e
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Description: Advanced front-end for dpkg
This is Debian's next generation front-end for the dpkg package manager.
It provides the apt-get utility and APT dselect method that provides a


+ 1
- 0
test/integration/Packages-releasefile-verification-new View File

@@ -12,6 +12,7 @@ Conflicts: python-apt (<< 0.7.93.2~)
Filename: apt.deb
Size: 0
MD5sum: d41d8cd98f00b204e9800998ecf8427e
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Description: Advanced front-end for dpkg
This is Debian's next generation front-end for the dpkg package manager.
It provides the apt-get utility and APT dselect method that provides a


+ 3
- 0
test/integration/framework View File

@@ -852,6 +852,9 @@ Architecture: $ARCH" >> $FILE
echo "Files:
$(echo -n "$DSCFILE" | md5sum | cut -d' ' -f 1) $(echo -n "$DSCFILE" | wc -c) $DSCFILE
$(echo -n "$TARFILE" | md5sum | cut -d' ' -f 1) $(echo -n "$TARFILE" | wc -c) $TARFILE
Checksums-Sha256:
$(echo -n "$DSCFILE" | sha256sum | cut -d' ' -f 1) $(echo -n "$DSCFILE" | wc -c) $DSCFILE
$(echo -n "$TARFILE" | sha256sum | cut -d' ' -f 1) $(echo -n "$TARFILE" | wc -c) $TARFILE
" >> $FILE
}



+ 8
- 8
test/integration/test-apt-get-source View File

@@ -35,11 +35,11 @@ APTARCHIVE=$(readlink -f ./aptarchive)
HEADER="Reading package lists...
Building dependency tree..."
DOWNLOAD1="Need to get 0 B/25 B of source archives.
'file://${APTARCHIVE}/foo_1.0.dsc' foo_1.0.dsc 11 MD5Sum:b998e085e36cf162e6a33c2801318fef
'file://${APTARCHIVE}/foo_1.0.tar.gz' foo_1.0.tar.gz 14 MD5Sum:d46b9a02af8487cbeb49165540c88184"
'file://${APTARCHIVE}/foo_1.0.dsc' foo_1.0.dsc 11 SHA256:ed7c25c832596339bee13e4e7c45cf49f869b60d2bf57252f18191d75866c2a7
'file://${APTARCHIVE}/foo_1.0.tar.gz' foo_1.0.tar.gz 14 SHA256:f3da8c6ebc62c8ef2dae439a498dddcdacc1a07f45ff67ad12f44b6e2353c239"
DOWNLOAD2="Need to get 0 B/25 B of source archives.
'file://${APTARCHIVE}/foo_2.0.dsc' foo_2.0.dsc 11 MD5Sum:c0de572c6f8aa576c8ff78c81132ed55
'file://${APTARCHIVE}/foo_2.0.tar.gz' foo_2.0.tar.gz 14 MD5Sum:e10bb487c375b2b938d27bd31c2d1f5f"
'file://${APTARCHIVE}/foo_2.0.dsc' foo_2.0.dsc 11 SHA256:0fcb803ffbeef26db884625aaf06e75f3eda5c994634980e7c20fd37ed1fc104
'file://${APTARCHIVE}/foo_2.0.tar.gz' foo_2.0.tar.gz 14 SHA256:ca9b0b828ca22372502af2b80f61f0bd9063910ece9fc34eeaf9d9e31aa8195a"
testsuccessequal "$HEADER
$DOWNLOAD2" aptget source -q --print-uris foo

@@ -72,8 +72,8 @@ $DOWNLOAD1" aptget source -q --print-uris foo=1.0
# select by release with no binary package (Bug#731102) but ensure to get
# highest version
DOWNLOAD01="Need to get 0 B/25 B of source archives.
'file://${APTARCHIVE}/foo_0.1.dsc' foo_0.1.dsc 11 MD5Sum:0811a4d85238056c613ea897f49f01af
'file://${APTARCHIVE}/foo_0.1.tar.gz' foo_0.1.tar.gz 14 MD5Sum:fa1ecb7a1a53e8e6f6551ca7db888a61"
'file://${APTARCHIVE}/foo_0.1.dsc' foo_0.1.dsc 11 SHA256:72af24b0290fe1d13a3e25fddd2633e43c87ff79d249bc850009e47bcce73565
'file://${APTARCHIVE}/foo_0.1.tar.gz' foo_0.1.tar.gz 14 SHA256:ec748ad88a71f98bfdc012e1a7632377d05fe3ebbf9c0922e0691fe4d79c0585"
testsuccessequal "$HEADER
Selected version '0.1' (wheezy) for foo
$DOWNLOAD01" aptget source -q --print-uris foo/wheezy
@@ -85,8 +85,8 @@ E: Unable to find a source package for foo" aptget source -q --print-uris foo=9.

# version and release
DOWNLOAD001="Need to get 0 B/29 B of source archives.
'file://${APTARCHIVE}/foo_0.0.1.dsc' foo_0.0.1.dsc 13 MD5Sum:6c819ebf0a21b1a480e1dbf6b8edfebd
'file://${APTARCHIVE}/foo_0.0.1.tar.gz' foo_0.0.1.tar.gz 16 MD5Sum:a3c7e1ac2159fc0faf522e110d6906fd"
'file://${APTARCHIVE}/foo_0.0.1.dsc' foo_0.0.1.dsc 13 SHA256:649dfe03bbb70cebdfe7c6bf9036f9f2472510b8f52e823bdf5ade362ebaa76f
'file://${APTARCHIVE}/foo_0.0.1.tar.gz' foo_0.0.1.tar.gz 16 SHA256:ab7ba789d178362ecc808e49705e2338988a7f5b9410ec11a6c9555c017de907"
testsuccessequal "$HEADER
$DOWNLOAD001" aptget source -q --print-uris -t unstable foo=0.0.1



+ 6
- 6
test/integration/test-apt-get-source-arch View File

@@ -29,8 +29,8 @@ APTARCHIVE=$(readlink -f ./aptarchive)
HEADER="Reading package lists...
Building dependency tree..."
DOWNLOAD10="Need to get 0 B/25 B of source archives.
'file://${APTARCHIVE}/foo_1.0.dsc' foo_1.0.dsc 11 MD5Sum:b998e085e36cf162e6a33c2801318fef
'file://${APTARCHIVE}/foo_1.0.tar.gz' foo_1.0.tar.gz 14 MD5Sum:d46b9a02af8487cbeb49165540c88184"
'file://${APTARCHIVE}/foo_1.0.dsc' foo_1.0.dsc 11 SHA256:ed7c25c832596339bee13e4e7c45cf49f869b60d2bf57252f18191d75866c2a7
'file://${APTARCHIVE}/foo_1.0.tar.gz' foo_1.0.tar.gz 14 SHA256:f3da8c6ebc62c8ef2dae439a498dddcdacc1a07f45ff67ad12f44b6e2353c239"

# pick :amd64
testsuccessequal "$HEADER
@@ -39,15 +39,15 @@ $DOWNLOAD10" aptget source -q --print-uris foo:amd64
# pick :i386
testsuccessequal "$HEADER
Need to get 0 B/25 B of source archives.
'file://${APTARCHIVE}/foo_2.0.dsc' foo_2.0.dsc 11 MD5Sum:c0de572c6f8aa576c8ff78c81132ed55
'file://${APTARCHIVE}/foo_2.0.tar.gz' foo_2.0.tar.gz 14 MD5Sum:e10bb487c375b2b938d27bd31c2d1f5f" aptget source -q --print-uris foo:i386
'file://${APTARCHIVE}/foo_2.0.dsc' foo_2.0.dsc 11 SHA256:0fcb803ffbeef26db884625aaf06e75f3eda5c994634980e7c20fd37ed1fc104
'file://${APTARCHIVE}/foo_2.0.tar.gz' foo_2.0.tar.gz 14 SHA256:ca9b0b828ca22372502af2b80f61f0bd9063910ece9fc34eeaf9d9e31aa8195a" aptget source -q --print-uris foo:i386

# pick :i386 by release
testsuccessequal "$HEADER
Selected version '0.1' (oldstable) for foo
Need to get 0 B/25 B of source archives.
'file://${APTARCHIVE}/foo_0.1.dsc' foo_0.1.dsc 11 MD5Sum:0811a4d85238056c613ea897f49f01af
'file://${APTARCHIVE}/foo_0.1.tar.gz' foo_0.1.tar.gz 14 MD5Sum:fa1ecb7a1a53e8e6f6551ca7db888a61" aptget source -q --print-uris foo:i386/oldstable
'file://${APTARCHIVE}/foo_0.1.dsc' foo_0.1.dsc 11 SHA256:72af24b0290fe1d13a3e25fddd2633e43c87ff79d249bc850009e47bcce73565
'file://${APTARCHIVE}/foo_0.1.tar.gz' foo_0.1.tar.gz 14 SHA256:ec748ad88a71f98bfdc012e1a7632377d05fe3ebbf9c0922e0691fe4d79c0585" aptget source -q --print-uris foo:i386/oldstable

# pick :i386 by version
testsuccessequal "$HEADER


+ 4
- 4
test/integration/test-apt-get-source-multisources View File

@@ -21,10 +21,10 @@ HEADER="Reading package lists...
Building dependency tree..."
testsuccessequal "$HEADER
Need to get 0 B/43 B of source archives.
'file://${APTARCHIVE}/adduser_3.113+nmu3.dsc' adduser_3.113+nmu3.dsc 22 MD5Sum:255405ab5af211238ef53b7a1dd8ca4b
'file://${APTARCHIVE}/python-fll_0.9.11.dsc' python-fll_0.9.11.dsc 21 MD5Sum:740a9dbf02a295932f15b1415d0dc0df" aptget source -qdy --print-uris --dsc-only adduser=3.113 python-fll=0.9.11
'file://${APTARCHIVE}/adduser_3.113+nmu3.dsc' adduser_3.113+nmu3.dsc 22 SHA256:19cc1abe85063976bf71c033f62f3e6bf6621647fe44a6ee31ed687e3fa5cbb7
'file://${APTARCHIVE}/python-fll_0.9.11.dsc' python-fll_0.9.11.dsc 21 SHA256:51429e835ded66abf6bbc157865af29920435e74aea2836ba1f46443feae9285" aptget source -qdy --print-uris --dsc-only adduser=3.113 python-fll=0.9.11

testsuccessequal "$HEADER
Need to get 0 B/43 B of source archives.
'file://${APTARCHIVE}/python-fll_0.9.11.dsc' python-fll_0.9.11.dsc 21 MD5Sum:740a9dbf02a295932f15b1415d0dc0df
'file://${APTARCHIVE}/adduser_3.113+nmu3.dsc' adduser_3.113+nmu3.dsc 22 MD5Sum:255405ab5af211238ef53b7a1dd8ca4b" aptget source -qdy --print-uris --dsc-only python-fll=0.9.11 adduser=3.113
'file://${APTARCHIVE}/python-fll_0.9.11.dsc' python-fll_0.9.11.dsc 21 SHA256:51429e835ded66abf6bbc157865af29920435e74aea2836ba1f46443feae9285
'file://${APTARCHIVE}/adduser_3.113+nmu3.dsc' adduser_3.113+nmu3.dsc 22 SHA256:19cc1abe85063976bf71c033f62f3e6bf6621647fe44a6ee31ed687e3fa5cbb7" aptget source -qdy --print-uris --dsc-only python-fll=0.9.11 adduser=3.113

+ 3
- 7
test/integration/test-apt-helper View File

@@ -13,10 +13,6 @@ test_apt_helper_download() {
echo 'foo' > aptarchive/foo
echo 'bar' > aptarchive/foo2

msgtest 'apt-file download-file md5sum'
testsuccess --nomsg apthelper download-file http://localhost:8080/foo ./downloaded/foo2 MD5Sum:d3b07384d113edec49eaa6238ad5ff00
testfileequal ./downloaded/foo2 'foo'

msgtest 'apt-file download-file sha1'
testsuccess --nomsg apthelper download-file http://localhost:8080/foo ./downloaded/foo1 SHA1:f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
testfileequal ./downloaded/foo1 'foo'
@@ -30,14 +26,14 @@ test_apt_helper_download() {
testfileequal ./downloaded/foo4 'foo'
msgtest 'apt-file download-file wrong hash'
testfailure --nomsg apthelper -qq download-file http://localhost:8080/foo ./downloaded/foo5 MD5Sum:aabbcc
testfailure --nomsg apthelper -qq download-file http://localhost:8080/foo ./downloaded/foo5 SHA256:aabbcc
testfileequal rootdir/tmp/testfailure.output 'E: Failed to fetch http://localhost:8080/foo Hash Sum mismatch

E: Download Failed'
testfileequal ./downloaded/foo5.FAILED 'foo'

msgtest 'apt-file download-file md5sum sha1'
testsuccess --nomsg apthelper download-file http://localhost:8080/foo ./downloaded/foo6 MD5Sum:d3b07384d113edec49eaa6238ad5ff00 http://localhost:8080/foo2 ./downloaded/foo7 SHA1:e242ed3bffccdf271b7fbaf34ed72d089537b42f
msgtest 'apt-file download-file sha256 sha1'
testsuccess --nomsg apthelper download-file http://localhost:8080/foo ./downloaded/foo6 SHA256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c http://localhost:8080/foo2 ./downloaded/foo7 SHA1:e242ed3bffccdf271b7fbaf34ed72d089537b42f
testfileequal ./downloaded/foo6 'foo'
testfileequal ./downloaded/foo7 'bar'
}


+ 6
- 6
test/integration/test-bug-722207-print-uris-even-if-very-quiet View File

@@ -21,11 +21,11 @@ testsuccessequal "'file://${APTARCHIVE}/pool/main/apt/apt_2_all.deb' apt_2_all.d
testsuccessequal "'file://${APTARCHIVE}/pool/main/apt/apt_2_all.deb' apt_2_all.deb 0 " aptget dist-upgrade -qq --print-uris
testsuccessequal "'file://${APTARCHIVE}/pool/main/apt/apt_2_all.deb' apt_2_all.deb 0 " aptget install apt -qq --print-uris
testsuccessequal "'file://${APTARCHIVE}/pool/main/apt/apt_2_all.deb' apt_2_all.deb 0 " aptget download apt -qq --print-uris
testsuccessequal "'file://${APTARCHIVE}/apt_2.dsc' apt_2.dsc 9 MD5Sum:16ff470aaedad0f06fb951ed89ffdd3a
'file://${APTARCHIVE}/apt_2.tar.gz' apt_2.tar.gz 12 MD5Sum:ab2b546f59ff9e8f5cc7a2d987ff3373" aptget source apt -qq --print-uris
testsuccessequal "'file://${APTARCHIVE}/apt_2.dsc' apt_2.dsc 9 SHA256:7776436a6d741497f1cd958014e1a05b352224231428152aae39da3c17fd2fd4
'file://${APTARCHIVE}/apt_2.tar.gz' apt_2.tar.gz 12 SHA256:f57f565eabe3fde0ec6e6e0bcc8db1d86fe2b4d6344a380a23520ddbb7728e99" aptget source apt -qq --print-uris
testsuccessequal "'http://metadata.ftp-master.debian.org/changelogs/main/a/apt/apt_2_changelog' apt.changelog" aptget changelog apt -qq --print-uris

testsuccessequal "'file://${APTARCHIVE}/apt_2.dsc' apt_2.dsc 9 MD5Sum:16ff470aaedad0f06fb951ed89ffdd3a
'file://${APTARCHIVE}/apt_2.tar.gz' apt_2.tar.gz 12 MD5Sum:ab2b546f59ff9e8f5cc7a2d987ff3373
'file://${APTARCHIVE}/apt2_1.dsc' apt2_1.dsc 10 MD5Sum:4c572ce45f1e2bedbb30da7f5e1c241c
'file://${APTARCHIVE}/apt2_1.tar.gz' apt2_1.tar.gz 13 MD5Sum:2a96fec139f8722d93312a1ff8281232" aptget source apt apt2 -qq --print-uris
testsuccessequal "'file://${APTARCHIVE}/apt_2.dsc' apt_2.dsc 9 SHA256:7776436a6d741497f1cd958014e1a05b352224231428152aae39da3c17fd2fd4
'file://${APTARCHIVE}/apt_2.tar.gz' apt_2.tar.gz 12 SHA256:f57f565eabe3fde0ec6e6e0bcc8db1d86fe2b4d6344a380a23520ddbb7728e99
'file://${APTARCHIVE}/apt2_1.dsc' apt2_1.dsc 10 SHA256:5693ba5efbfa21216f13661d344611aabe70ce3c343554ab46d4d9c24fdfd13a
'file://${APTARCHIVE}/apt2_1.tar.gz' apt2_1.tar.gz 13 SHA256:1464c609fd09934c270ec629020d5e248b080607f715e47ef088cc8ab8480541" aptget source apt apt2 -qq --print-uris

+ 8
- 4
test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum View File

@@ -1,4 +1,8 @@
#!/bin/sh
#
# FIXME: this test is mostly meaningless now as we do not consider
# md5sum sufficient anyway. useful to test that it errors
# if not all hashes pass
set -e

TESTDIR=$(readlink -f $(dirname $0))
@@ -210,8 +214,8 @@ Download complete and in download only mode" aptget source --allow-unauthenticat
testsuccess --nomsg test -e ${1}_1.0.dsc -a -e ${1}_1.0.tar.gz
}

testok pkg-md5-ok
testkeep pkg-md5-ok
#testok pkg-md5-ok
#testkeep pkg-md5-ok
testok pkg-sha256-ok
testkeep pkg-sha256-ok

@@ -223,7 +227,7 @@ testmismatch pkg-sha256-bad
testok pkg-sha256-bad -o Acquire::ForceHash=MD5Sum

# not having MD5 sum doesn't mean the file doesn't exist at all …
testok pkg-no-md5
#testok pkg-no-md5
testok pkg-no-md5 -o Acquire::ForceHash=SHA256
testsuccessequal "Reading package lists...
Building dependency tree...
@@ -263,7 +267,7 @@ msgtest 'Only dsc file is downloaded as the tar has hashsum mismatch' 'pkg-mixed
testsuccess --nomsg test -e pkg-mixed-sha2-bad_1.0.dsc -a ! -e pkg-mixed-sha2-bad_1.0.tar.gz

# it gets even more pathologic: multiple entries for one file, some even disagreeing!
testok pkg-md5-agree
#testok pkg-md5-agree
testfailureequal 'Reading package lists...
Building dependency tree...
E: Error parsing checksum in Files of source package pkg-md5-disagree' aptget source -d pkg-md5-disagree


Loading…
Cancel
Save