diff options
| author | Michael Vogt <mvo@ubuntu.com> | 2015-09-01 11:13:48 +0200 |
|---|---|---|
| committer | Michael Vogt <mvo@ubuntu.com> | 2015-09-01 11:29:49 +0200 |
| commit | 55ae7a516126f9f064d8353bf962256b7307590a (patch) | |
| tree | 14c91251fa81c61c4ab26994036213b6ee24f61c | |
| parent | 226c0f64d46019d675840b16bd44ff985b45ad0f (diff) | |
Consider md5sum no longer a usable hash
The md5sum hash is broken since some time and we should no longer
consider it a usable hash. Also update the tests to reflect this.
| -rw-r--r-- | apt-pkg/contrib/hashes.cc | 15 | ||||
| -rw-r--r-- | apt-pkg/contrib/hashes.h | 1 | ||||
| -rw-r--r-- | test/integration/Packages-releasefile-verification | 1 | ||||
| -rw-r--r-- | test/integration/Packages-releasefile-verification-new | 1 | ||||
| -rw-r--r-- | test/integration/framework | 3 | ||||
| -rwxr-xr-x | test/integration/test-apt-get-source | 16 | ||||
| -rwxr-xr-x | test/integration/test-apt-get-source-arch | 12 | ||||
| -rwxr-xr-x | test/integration/test-apt-get-source-multisources | 8 | ||||
| -rwxr-xr-x | test/integration/test-apt-helper | 10 | ||||
| -rwxr-xr-x | test/integration/test-bug-722207-print-uris-even-if-very-quiet | 12 | ||||
| -rwxr-xr-x | test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum | 12 |
11 files changed, 52 insertions, 39 deletions
diff --git a/apt-pkg/contrib/hashes.cc b/apt-pkg/contrib/hashes.cc index 4481321c4..41a0037cd 100644 --- a/apt-pkg/contrib/hashes.cc +++ b/apt-pkg/contrib/hashes.cc @@ -129,6 +129,13 @@ APT_PURE bool HashString::empty() const /*{{{*/ return (Type.empty() || Hash.empty()); } /*}}}*/ +APT_PURE bool HashString::usable() const /*{{{*/ +{ + return ( + (Type != "Checksum-FileSize") && + (Type != "MD5Sum") + ); +} std::string HashString::toStr() const /*{{{*/ { return Type + ":" + Hash; @@ -151,10 +158,10 @@ bool HashStringList::usable() const /*{{{*/ std::string const forcedType = _config->Find("Acquire::ForceHash", ""); if (forcedType.empty() == true) { - // FileSize alone isn't usable - for (std::vector<HashString>::const_iterator hs = list.begin(); hs != list.end(); ++hs) - if (hs->HashType() != "Checksum-FileSize") - return true; + // See if there is at least one usable hash + for (auto const &hs: list) + if (hs.usable()) + return true; return false; } return find(forcedType) != NULL; diff --git a/apt-pkg/contrib/hashes.h b/apt-pkg/contrib/hashes.h index 0e6ff9ef1..74024befd 100644 --- a/apt-pkg/contrib/hashes.h +++ b/apt-pkg/contrib/hashes.h @@ -68,6 +68,7 @@ class HashString // helper std::string toStr() const; // convert to str as "type:hash" bool empty() const; + bool usable() const; bool operator==(HashString const &other) const; bool operator!=(HashString const &other) const; diff --git a/test/integration/Packages-releasefile-verification b/test/integration/Packages-releasefile-verification index eb7327279..1e5c47096 100644 --- a/test/integration/Packages-releasefile-verification +++ b/test/integration/Packages-releasefile-verification @@ -9,6 +9,7 @@ Suggests: aptitude | synaptic | wajig, dpkg-dev, apt-doc, bzip2, lzma, python-ap Filename: apt.deb Size: 0 MD5sum: d41d8cd98f00b204e9800998ecf8427e +SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Description: Advanced front-end for dpkg This is Debian's next generation front-end for the dpkg package manager. It provides the apt-get utility and APT dselect method that provides a diff --git a/test/integration/Packages-releasefile-verification-new b/test/integration/Packages-releasefile-verification-new index 61509d157..7f03829d6 100644 --- a/test/integration/Packages-releasefile-verification-new +++ b/test/integration/Packages-releasefile-verification-new @@ -12,6 +12,7 @@ Conflicts: python-apt (<< 0.7.93.2~) Filename: apt.deb Size: 0 MD5sum: d41d8cd98f00b204e9800998ecf8427e +SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Description: Advanced front-end for dpkg This is Debian's next generation front-end for the dpkg package manager. It provides the apt-get utility and APT dselect method that provides a diff --git a/test/integration/framework b/test/integration/framework index 182bec2e4..ec5d7c491 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -852,6 +852,9 @@ Architecture: $ARCH" >> $FILE echo "Files: $(echo -n "$DSCFILE" | md5sum | cut -d' ' -f 1) $(echo -n "$DSCFILE" | wc -c) $DSCFILE $(echo -n "$TARFILE" | md5sum | cut -d' ' -f 1) $(echo -n "$TARFILE" | wc -c) $TARFILE +Checksums-Sha256: + $(echo -n "$DSCFILE" | sha256sum | cut -d' ' -f 1) $(echo -n "$DSCFILE" | wc -c) $DSCFILE + $(echo -n "$TARFILE" | sha256sum | cut -d' ' -f 1) $(echo -n "$TARFILE" | wc -c) $TARFILE " >> $FILE } diff --git a/test/integration/test-apt-get-source b/test/integration/test-apt-get-source index 03320754b..6791bdd98 100755 --- a/test/integration/test-apt-get-source +++ b/test/integration/test-apt-get-source @@ -35,11 +35,11 @@ APTARCHIVE=$(readlink -f ./aptarchive) HEADER="Reading package lists... Building dependency tree..." DOWNLOAD1="Need to get 0 B/25 B of source archives. -'file://${APTARCHIVE}/foo_1.0.dsc' foo_1.0.dsc 11 MD5Sum:b998e085e36cf162e6a33c2801318fef -'file://${APTARCHIVE}/foo_1.0.tar.gz' foo_1.0.tar.gz 14 MD5Sum:d46b9a02af8487cbeb49165540c88184" +'file://${APTARCHIVE}/foo_1.0.dsc' foo_1.0.dsc 11 SHA256:ed7c25c832596339bee13e4e7c45cf49f869b60d2bf57252f18191d75866c2a7 +'file://${APTARCHIVE}/foo_1.0.tar.gz' foo_1.0.tar.gz 14 SHA256:f3da8c6ebc62c8ef2dae439a498dddcdacc1a07f45ff67ad12f44b6e2353c239" DOWNLOAD2="Need to get 0 B/25 B of source archives. -'file://${APTARCHIVE}/foo_2.0.dsc' foo_2.0.dsc 11 MD5Sum:c0de572c6f8aa576c8ff78c81132ed55 -'file://${APTARCHIVE}/foo_2.0.tar.gz' foo_2.0.tar.gz 14 MD5Sum:e10bb487c375b2b938d27bd31c2d1f5f" +'file://${APTARCHIVE}/foo_2.0.dsc' foo_2.0.dsc 11 SHA256:0fcb803ffbeef26db884625aaf06e75f3eda5c994634980e7c20fd37ed1fc104 +'file://${APTARCHIVE}/foo_2.0.tar.gz' foo_2.0.tar.gz 14 SHA256:ca9b0b828ca22372502af2b80f61f0bd9063910ece9fc34eeaf9d9e31aa8195a" testsuccessequal "$HEADER $DOWNLOAD2" aptget source -q --print-uris foo @@ -72,8 +72,8 @@ $DOWNLOAD1" aptget source -q --print-uris foo=1.0 # select by release with no binary package (Bug#731102) but ensure to get # highest version DOWNLOAD01="Need to get 0 B/25 B of source archives. -'file://${APTARCHIVE}/foo_0.1.dsc' foo_0.1.dsc 11 MD5Sum:0811a4d85238056c613ea897f49f01af -'file://${APTARCHIVE}/foo_0.1.tar.gz' foo_0.1.tar.gz 14 MD5Sum:fa1ecb7a1a53e8e6f6551ca7db888a61" +'file://${APTARCHIVE}/foo_0.1.dsc' foo_0.1.dsc 11 SHA256:72af24b0290fe1d13a3e25fddd2633e43c87ff79d249bc850009e47bcce73565 +'file://${APTARCHIVE}/foo_0.1.tar.gz' foo_0.1.tar.gz 14 SHA256:ec748ad88a71f98bfdc012e1a7632377d05fe3ebbf9c0922e0691fe4d79c0585" testsuccessequal "$HEADER Selected version '0.1' (wheezy) for foo $DOWNLOAD01" aptget source -q --print-uris foo/wheezy @@ -85,8 +85,8 @@ E: Unable to find a source package for foo" aptget source -q --print-uris foo=9. # version and release DOWNLOAD001="Need to get 0 B/29 B of source archives. -'file://${APTARCHIVE}/foo_0.0.1.dsc' foo_0.0.1.dsc 13 MD5Sum:6c819ebf0a21b1a480e1dbf6b8edfebd -'file://${APTARCHIVE}/foo_0.0.1.tar.gz' foo_0.0.1.tar.gz 16 MD5Sum:a3c7e1ac2159fc0faf522e110d6906fd" +'file://${APTARCHIVE}/foo_0.0.1.dsc' foo_0.0.1.dsc 13 SHA256:649dfe03bbb70cebdfe7c6bf9036f9f2472510b8f52e823bdf5ade362ebaa76f +'file://${APTARCHIVE}/foo_0.0.1.tar.gz' foo_0.0.1.tar.gz 16 SHA256:ab7ba789d178362ecc808e49705e2338988a7f5b9410ec11a6c9555c017de907" testsuccessequal "$HEADER $DOWNLOAD001" aptget source -q --print-uris -t unstable foo=0.0.1 diff --git a/test/integration/test-apt-get-source-arch b/test/integration/test-apt-get-source-arch index f54bb6012..348f35f0b 100755 --- a/test/integration/test-apt-get-source-arch +++ b/test/integration/test-apt-get-source-arch @@ -29,8 +29,8 @@ APTARCHIVE=$(readlink -f ./aptarchive) HEADER="Reading package lists... Building dependency tree..." DOWNLOAD10="Need to get 0 B/25 B of source archives. -'file://${APTARCHIVE}/foo_1.0.dsc' foo_1.0.dsc 11 MD5Sum:b998e085e36cf162e6a33c2801318fef -'file://${APTARCHIVE}/foo_1.0.tar.gz' foo_1.0.tar.gz 14 MD5Sum:d46b9a02af8487cbeb49165540c88184" +'file://${APTARCHIVE}/foo_1.0.dsc' foo_1.0.dsc 11 SHA256:ed7c25c832596339bee13e4e7c45cf49f869b60d2bf57252f18191d75866c2a7 +'file://${APTARCHIVE}/foo_1.0.tar.gz' foo_1.0.tar.gz 14 SHA256:f3da8c6ebc62c8ef2dae439a498dddcdacc1a07f45ff67ad12f44b6e2353c239" # pick :amd64 testsuccessequal "$HEADER @@ -39,15 +39,15 @@ $DOWNLOAD10" aptget source -q --print-uris foo:amd64 # pick :i386 testsuccessequal "$HEADER Need to get 0 B/25 B of source archives. -'file://${APTARCHIVE}/foo_2.0.dsc' foo_2.0.dsc 11 MD5Sum:c0de572c6f8aa576c8ff78c81132ed55 -'file://${APTARCHIVE}/foo_2.0.tar.gz' foo_2.0.tar.gz 14 MD5Sum:e10bb487c375b2b938d27bd31c2d1f5f" aptget source -q --print-uris foo:i386 +'file://${APTARCHIVE}/foo_2.0.dsc' foo_2.0.dsc 11 SHA256:0fcb803ffbeef26db884625aaf06e75f3eda5c994634980e7c20fd37ed1fc104 +'file://${APTARCHIVE}/foo_2.0.tar.gz' foo_2.0.tar.gz 14 SHA256:ca9b0b828ca22372502af2b80f61f0bd9063910ece9fc34eeaf9d9e31aa8195a" aptget source -q --print-uris foo:i386 # pick :i386 by release testsuccessequal "$HEADER Selected version '0.1' (oldstable) for foo Need to get 0 B/25 B of source archives. -'file://${APTARCHIVE}/foo_0.1.dsc' foo_0.1.dsc 11 MD5Sum:0811a4d85238056c613ea897f49f01af -'file://${APTARCHIVE}/foo_0.1.tar.gz' foo_0.1.tar.gz 14 MD5Sum:fa1ecb7a1a53e8e6f6551ca7db888a61" aptget source -q --print-uris foo:i386/oldstable +'file://${APTARCHIVE}/foo_0.1.dsc' foo_0.1.dsc 11 SHA256:72af24b0290fe1d13a3e25fddd2633e43c87ff79d249bc850009e47bcce73565 +'file://${APTARCHIVE}/foo_0.1.tar.gz' foo_0.1.tar.gz 14 SHA256:ec748ad88a71f98bfdc012e1a7632377d05fe3ebbf9c0922e0691fe4d79c0585" aptget source -q --print-uris foo:i386/oldstable # pick :i386 by version testsuccessequal "$HEADER diff --git a/test/integration/test-apt-get-source-multisources b/test/integration/test-apt-get-source-multisources index 887a30685..ba370fea6 100755 --- a/test/integration/test-apt-get-source-multisources +++ b/test/integration/test-apt-get-source-multisources @@ -21,10 +21,10 @@ HEADER="Reading package lists... Building dependency tree..." testsuccessequal "$HEADER Need to get 0 B/43 B of source archives. -'file://${APTARCHIVE}/adduser_3.113+nmu3.dsc' adduser_3.113+nmu3.dsc 22 MD5Sum:255405ab5af211238ef53b7a1dd8ca4b -'file://${APTARCHIVE}/python-fll_0.9.11.dsc' python-fll_0.9.11.dsc 21 MD5Sum:740a9dbf02a295932f15b1415d0dc0df" aptget source -qdy --print-uris --dsc-only adduser=3.113 python-fll=0.9.11 +'file://${APTARCHIVE}/adduser_3.113+nmu3.dsc' adduser_3.113+nmu3.dsc 22 SHA256:19cc1abe85063976bf71c033f62f3e6bf6621647fe44a6ee31ed687e3fa5cbb7 +'file://${APTARCHIVE}/python-fll_0.9.11.dsc' python-fll_0.9.11.dsc 21 SHA256:51429e835ded66abf6bbc157865af29920435e74aea2836ba1f46443feae9285" aptget source -qdy --print-uris --dsc-only adduser=3.113 python-fll=0.9.11 testsuccessequal "$HEADER Need to get 0 B/43 B of source archives. -'file://${APTARCHIVE}/python-fll_0.9.11.dsc' python-fll_0.9.11.dsc 21 MD5Sum:740a9dbf02a295932f15b1415d0dc0df -'file://${APTARCHIVE}/adduser_3.113+nmu3.dsc' adduser_3.113+nmu3.dsc 22 MD5Sum:255405ab5af211238ef53b7a1dd8ca4b" aptget source -qdy --print-uris --dsc-only python-fll=0.9.11 adduser=3.113 +'file://${APTARCHIVE}/python-fll_0.9.11.dsc' python-fll_0.9.11.dsc 21 SHA256:51429e835ded66abf6bbc157865af29920435e74aea2836ba1f46443feae9285 +'file://${APTARCHIVE}/adduser_3.113+nmu3.dsc' adduser_3.113+nmu3.dsc 22 SHA256:19cc1abe85063976bf71c033f62f3e6bf6621647fe44a6ee31ed687e3fa5cbb7" aptget source -qdy --print-uris --dsc-only python-fll=0.9.11 adduser=3.113 diff --git a/test/integration/test-apt-helper b/test/integration/test-apt-helper index 00d859ad5..a303e944e 100755 --- a/test/integration/test-apt-helper +++ b/test/integration/test-apt-helper @@ -13,10 +13,6 @@ test_apt_helper_download() { echo 'foo' > aptarchive/foo echo 'bar' > aptarchive/foo2 - msgtest 'apt-file download-file md5sum' - testsuccess --nomsg apthelper download-file http://localhost:8080/foo ./downloaded/foo2 MD5Sum:d3b07384d113edec49eaa6238ad5ff00 - testfileequal ./downloaded/foo2 'foo' - msgtest 'apt-file download-file sha1' testsuccess --nomsg apthelper download-file http://localhost:8080/foo ./downloaded/foo1 SHA1:f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 testfileequal ./downloaded/foo1 'foo' @@ -30,14 +26,14 @@ test_apt_helper_download() { testfileequal ./downloaded/foo4 'foo' msgtest 'apt-file download-file wrong hash' - testfailure --nomsg apthelper -qq download-file http://localhost:8080/foo ./downloaded/foo5 MD5Sum:aabbcc + testfailure --nomsg apthelper -qq download-file http://localhost:8080/foo ./downloaded/foo5 SHA256:aabbcc testfileequal rootdir/tmp/testfailure.output 'E: Failed to fetch http://localhost:8080/foo Hash Sum mismatch E: Download Failed' testfileequal ./downloaded/foo5.FAILED 'foo' - msgtest 'apt-file download-file md5sum sha1' - testsuccess --nomsg apthelper download-file http://localhost:8080/foo ./downloaded/foo6 MD5Sum:d3b07384d113edec49eaa6238ad5ff00 http://localhost:8080/foo2 ./downloaded/foo7 SHA1:e242ed3bffccdf271b7fbaf34ed72d089537b42f + msgtest 'apt-file download-file sha256 sha1' + testsuccess --nomsg apthelper download-file http://localhost:8080/foo ./downloaded/foo6 SHA256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c http://localhost:8080/foo2 ./downloaded/foo7 SHA1:e242ed3bffccdf271b7fbaf34ed72d089537b42f testfileequal ./downloaded/foo6 'foo' testfileequal ./downloaded/foo7 'bar' } diff --git a/test/integration/test-bug-722207-print-uris-even-if-very-quiet b/test/integration/test-bug-722207-print-uris-even-if-very-quiet index 1fa94de7d..07d76eaf0 100755 --- a/test/integration/test-bug-722207-print-uris-even-if-very-quiet +++ b/test/integration/test-bug-722207-print-uris-even-if-very-quiet @@ -21,11 +21,11 @@ testsuccessequal "'file://${APTARCHIVE}/pool/main/apt/apt_2_all.deb' apt_2_all.d testsuccessequal "'file://${APTARCHIVE}/pool/main/apt/apt_2_all.deb' apt_2_all.deb 0 " aptget dist-upgrade -qq --print-uris testsuccessequal "'file://${APTARCHIVE}/pool/main/apt/apt_2_all.deb' apt_2_all.deb 0 " aptget install apt -qq --print-uris testsuccessequal "'file://${APTARCHIVE}/pool/main/apt/apt_2_all.deb' apt_2_all.deb 0 " aptget download apt -qq --print-uris -testsuccessequal "'file://${APTARCHIVE}/apt_2.dsc' apt_2.dsc 9 MD5Sum:16ff470aaedad0f06fb951ed89ffdd3a -'file://${APTARCHIVE}/apt_2.tar.gz' apt_2.tar.gz 12 MD5Sum:ab2b546f59ff9e8f5cc7a2d987ff3373" aptget source apt -qq --print-uris +testsuccessequal "'file://${APTARCHIVE}/apt_2.dsc' apt_2.dsc 9 SHA256:7776436a6d741497f1cd958014e1a05b352224231428152aae39da3c17fd2fd4 +'file://${APTARCHIVE}/apt_2.tar.gz' apt_2.tar.gz 12 SHA256:f57f565eabe3fde0ec6e6e0bcc8db1d86fe2b4d6344a380a23520ddbb7728e99" aptget source apt -qq --print-uris testsuccessequal "'http://metadata.ftp-master.debian.org/changelogs/main/a/apt/apt_2_changelog' apt.changelog" aptget changelog apt -qq --print-uris -testsuccessequal "'file://${APTARCHIVE}/apt_2.dsc' apt_2.dsc 9 MD5Sum:16ff470aaedad0f06fb951ed89ffdd3a -'file://${APTARCHIVE}/apt_2.tar.gz' apt_2.tar.gz 12 MD5Sum:ab2b546f59ff9e8f5cc7a2d987ff3373 -'file://${APTARCHIVE}/apt2_1.dsc' apt2_1.dsc 10 MD5Sum:4c572ce45f1e2bedbb30da7f5e1c241c -'file://${APTARCHIVE}/apt2_1.tar.gz' apt2_1.tar.gz 13 MD5Sum:2a96fec139f8722d93312a1ff8281232" aptget source apt apt2 -qq --print-uris +testsuccessequal "'file://${APTARCHIVE}/apt_2.dsc' apt_2.dsc 9 SHA256:7776436a6d741497f1cd958014e1a05b352224231428152aae39da3c17fd2fd4 +'file://${APTARCHIVE}/apt_2.tar.gz' apt_2.tar.gz 12 SHA256:f57f565eabe3fde0ec6e6e0bcc8db1d86fe2b4d6344a380a23520ddbb7728e99 +'file://${APTARCHIVE}/apt2_1.dsc' apt2_1.dsc 10 SHA256:5693ba5efbfa21216f13661d344611aabe70ce3c343554ab46d4d9c24fdfd13a +'file://${APTARCHIVE}/apt2_1.tar.gz' apt2_1.tar.gz 13 SHA256:1464c609fd09934c270ec629020d5e248b080607f715e47ef088cc8ab8480541" aptget source apt apt2 -qq --print-uris diff --git a/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum b/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum index 48a7f0562..26b1393b7 100755 --- a/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum +++ b/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum @@ -1,4 +1,8 @@ #!/bin/sh +# +# FIXME: this test is mostly meaningless now as we do not consider +# md5sum sufficient anyway. useful to test that it errors +# if not all hashes pass set -e TESTDIR=$(readlink -f $(dirname $0)) @@ -210,8 +214,8 @@ Download complete and in download only mode" aptget source --allow-unauthenticat testsuccess --nomsg test -e ${1}_1.0.dsc -a -e ${1}_1.0.tar.gz } -testok pkg-md5-ok -testkeep pkg-md5-ok +#testok pkg-md5-ok +#testkeep pkg-md5-ok testok pkg-sha256-ok testkeep pkg-sha256-ok @@ -223,7 +227,7 @@ testmismatch pkg-sha256-bad testok pkg-sha256-bad -o Acquire::ForceHash=MD5Sum # not having MD5 sum doesn't mean the file doesn't exist at all … -testok pkg-no-md5 +#testok pkg-no-md5 testok pkg-no-md5 -o Acquire::ForceHash=SHA256 testsuccessequal "Reading package lists... Building dependency tree... @@ -263,7 +267,7 @@ msgtest 'Only dsc file is downloaded as the tar has hashsum mismatch' 'pkg-mixed testsuccess --nomsg test -e pkg-mixed-sha2-bad_1.0.dsc -a ! -e pkg-mixed-sha2-bad_1.0.tar.gz # it gets even more pathologic: multiple entries for one file, some even disagreeing! -testok pkg-md5-agree +#testok pkg-md5-agree testfailureequal 'Reading package lists... Building dependency tree... E: Error parsing checksum in Files of source package pkg-md5-disagree' aptget source -d pkg-md5-disagree |