Bug#856211: anna: please implement SHA256 verification of .udeb files

2017-02-28 Thread Steven Chamberlain
Updated patch, which assumes the libdebian-installer4-dev package will not be renamed. Build-Depend on a recent enough version that provides sha256 fields. Regards, -- Steven Chamberlain ste...@pyro.eu.org diff --git a/debian/changelog b/debian/changelog index d6682ca..20e33a0 100644 --- a/debia

Processed: Re: Bug#856211: anna: please implement SHA256 verification of .udeb files

2017-02-27 Thread Debian Bug Tracking System
Processing control commands: > tags -1 + patch Bug #856211 [src:anna] anna: please implement SHA256 verification of .udeb files Added tag(s) patch. -- 856211: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856211 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems

Bug#856211: anna: please implement SHA256 verification of .udeb files

2017-02-27 Thread Steven Chamberlain
Control: tags -1 + patch Hi, Attached is a minimal patch intended to implement SHA256 verification. It would depend on libdebian-installer being patched first (#856210) and bumping the soname to 5. "#define SHA256_HEX_LENGTH 64" is made explicit as possible so that one remembers to increase it i

Bug#856211: anna: please implement SHA256 verification of .udeb files

2017-02-27 Thread Steven Chamberlain
Steven Chamberlain wrote: > Attached is [...] Regards, -- Steven Chamberlain ste...@pyro.eu.org diff --git a/anna.c b/anna.c index 4b68816..e03d34a 100644 --- a/anna.c +++ b/anna.c @@ -318,8 +318,8 @@ install_modules(di_packages *status, di_packages *packages) { } } -if (! md5sum

Bug#856211: anna: please implement SHA256 verification of .udeb files

2017-02-27 Thread Steven Chamberlain
Cyril Brulebois wrote: > IIRC MD5sum field was kept (as in: added > back) because debian-cd needs it at the moment, which partly explains why this > wasn't fixed earlier. I think backward-compatibility would have been okay as long as *either*: * the archive published Release files with old+new

Bug#856211: anna: please implement SHA256 verification of .udeb files

2017-02-27 Thread Cyril Brulebois
Hi, Steven Chamberlain (2017-02-27): > Cyril Brulebois wrote: > > AFAICT net-retriever does the fetching and checking work? > > Mayyybe... > > Although with > http://ftp.de.debian.org/debian/dists/testing/main/installer-i386/20170127/images/netboot/mini.iso > I observed md5sum and sha256sum on

Bug#856211: anna: please implement SHA256 verification of .udeb files

2017-02-27 Thread Steven Chamberlain
Hello! Cyril Brulebois wrote: > AFAICT net-retriever does the fetching and checking work? Mayyybe... Although with http://ftp.de.debian.org/debian/dists/testing/main/installer-i386/20170127/images/netboot/mini.iso I observed md5sum and sha256sum only being executed as indicated in the attached

Bug#856211: anna: please implement SHA256 verification of .udeb files

2017-02-26 Thread Cyril Brulebois
Steven Chamberlain (2017-02-26): > To date, anna still only implements MD5 verification of .udeb files, > despite its formal deprecation as a digital signature algorithm by > RFC6151 (2011) and recommendations of academic literature years prior. > > The files are typically downloaded via insecure

Bug#856211: anna: please implement SHA256 verification of .udeb files

2017-02-26 Thread Steven Chamberlain
Source: anna Version: 1.57 Severity: grave Tags: security X-Debbugs-Cc: secur...@debian.org User: debian-rele...@lists.debian.org Usertags: bsp-2017-02-de-Berlin Control: block -1 by 856210 Hi, To date, anna still only implements MD5 verification of .udeb files, despite its formal deprecation as