apt-ftparchive writes SHA256 checksums in place of SHA512 in Sources

Bug #1234705 reported by Colin Watson on 2013-10-03
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Undecided
Unassigned
Precise
High
Colin Watson
Quantal
High
Colin Watson
Raring
High
Colin Watson

Bug Description

[Impact] apt-ftparchive generates SHA256 checksums for .dsc files and claims they're SHA512; this is likely to cause clients to fail to acquire source packages from Sources files generated with affected versions of apt-ftparchive, although only for .dsc files that contain Checksums-Sha512 (which is not yet the default).
[Test Case] Use "apt-ftparchive sources" to generate Sources files for a tree containing a .dsc with the Checksums-Sha512 field (you may need to generate one manually). Check that the filled-in checksum for the .dsc itself is correct.
[Regression Potential] Confined to apt-ftparchive. Probably best to diff Packages/Sources files before and after.

When apt-ftparchive is called upon to generate SHA512 checksums for a .dsc file that itself contains a Checksums-Sha512 field, the version in precise, quantal, and raring generate a SHA256 checksum instead and claim it's SHA512. This is due to this line which is obviously incorrect once you notice it:

  SHA256Summation SHA512;

We need to fix this before Launchpad production is upgraded from lucid to precise.

Colin Watson (cjwatson) on 2013-10-03
Changed in apt (Ubuntu):
status: New → Fix Released
Changed in apt (Ubuntu Precise):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
milestone: none → ubuntu-12.04.4
Changed in apt (Ubuntu Quantal):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Changed in apt (Ubuntu Raring):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)

Hello Colin, or anyone else affected,

Accepted apt into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apt/0.8.16~exp12ubuntu10.15 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apt (Ubuntu Precise):
status: Triaged → Fix Committed
tags: added: verification-needed
Changed in apt (Ubuntu Quantal):
status: Triaged → Fix Committed
Steve Langasek (vorlon) wrote :

Hello Colin, or anyone else affected,

Accepted apt into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apt/0.9.7.5ubuntu5.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Steve Langasek (vorlon) wrote :

Hello Colin, or anyone else affected,

Accepted apt into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apt/0.9.7.7ubuntu6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apt (Ubuntu Raring):
status: Triaged → Fix Committed
Colin Watson (cjwatson) on 2013-10-04
description: updated
Colin Watson (cjwatson) on 2013-10-04
description: updated
Colin Watson (cjwatson) on 2013-10-04
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp12ubuntu10.15

---------------
apt (0.8.16~exp12ubuntu10.15) precise; urgency=low

  [ David Kalnischkies ]
  * ftparchive/writer.cc:
    - handle the APT::FTPArchive::Packages::SHA512 option correctly instead
      of overriding SHA256, thanks Christian Marillat! (Closes: #680252,
      LP: #1234691)

  [ Colin Watson ]
  * Fix apt-ftparchive's generation of SHA512 checksums for Sources,
    previously incorrectly generated as SHA256 (LP: #1234705).
 -- Colin Watson <email address hidden> Thu, 03 Oct 2013 14:19:02 +0100

Changed in apt (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.9.7.5ubuntu5.6

---------------
apt (0.9.7.5ubuntu5.6) quantal; urgency=low

  * Fix apt-ftparchive's generation of SHA512 checksums for Sources,
    previously incorrectly generated as SHA256 (LP: #1234705).
 -- Colin Watson <email address hidden> Thu, 03 Oct 2013 14:51:28 +0100

Changed in apt (Ubuntu Quantal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.9.7.7ubuntu6

---------------
apt (0.9.7.7ubuntu6) raring; urgency=low

  * Fix apt-ftparchive's generation of SHA512 checksums for Sources,
    previously incorrectly generated as SHA256 (LP: #1234705).
 -- Colin Watson <email address hidden> Thu, 03 Oct 2013 14:22:35 +0100

Changed in apt (Ubuntu Raring):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers