[elbe-devel] [PATCH 3/4] Change md5 to sha256 for APTPackage

Mon Jul 29 17:16:26 CEST 2019

From: Olivier Dion <dion at linutronix.de>

According to
<https://wiki.debian.org/DebianRepository/Format#A.22Release.22_files>,
packages should be verifies with sha256.

Also, in the python-apt packge (see
https://salsa.debian.org/apt-team/python-apt), there's a nullptr
derefence that makes the daemon crash if a sum doesn't exist.  See
883f8ddeaa314a27b8b05bd147d486e30a7315aa.

Since sha256 sums are mandatories for Buster packages, we can assume
that it won't happen.

Signed-off-by: Olivier Dion <dion at linutronix.de>
---
 elbepack/aptpkgutils.py | 15 +++++++--------
 schema/dbsfed.xsd       |  4 ++--
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/elbepack/aptpkgutils.py b/elbepack/aptpkgutils.py
index 9c8b37ce..be9bafb0 100644
--- a/elbepack/aptpkgutils.py
+++ b/elbepack/aptpkgutils.py
@@ -77,7 +77,7 @@ class PackageBase(object):
     # pylint: disable=too-many-instance-attributes
 
     def __init__(self, name, installed_version,
-                 candidate_version, installed_md5, candidate_md5,
+                 candidate_version, installed_sha256, candidate_sha256,
                  state, is_auto_installed, origin, architecture):
 
         # pylint: disable=too-many-arguments
@@ -85,8 +85,8 @@ class PackageBase(object):
         self.name = name
         self.installed_version = installed_version
         self.candidate_version = candidate_version
-        self.installed_md5 = installed_md5
-        self.candidate_md5 = candidate_md5
+        self.installed_sha256 = installed_sha256
+        self.candidate_sha256 = candidate_sha256
         self.state = state
         self.is_auto_installed = is_auto_installed
         self.origin = origin
@@ -107,11 +107,10 @@ class APTPackage(PackageBase):
     def __init__(self, pkg, cache=None):
         if isinstance(pkg, str):
             pkg = cache[pkg]
-
         iver = pkg.installed and pkg.installed.version
         cver = pkg.candidate and pkg.candidate.version
-        imd5 = pkg.installed and pkg.installed.md5
-        cmd5 = pkg.candidate and pkg.candidate.md5
+        isha256 = pkg.installed and pkg.installed.sha256
+        csha256 = pkg.candidate and pkg.candidate.sha256
         self.state = pkgstate(pkg)
         self.is_auto_installed = pkg.is_auto_installed
         origin = pkgorigin(pkg)
@@ -128,7 +127,7 @@ class APTPackage(PackageBase):
             self.installed_deb = None
 
         PackageBase.__init__(self, pkg.name, iver,
-                             cver, imd5, cmd5,
+                             cver, isha256, csha256,
                              pkgstate(pkg), pkg.is_auto_installed,
                              origin, arch)
 
@@ -136,6 +135,6 @@ class APTPackage(PackageBase):
 class XMLPackage(PackageBase):
     def __init__(self, node, arch):
         PackageBase.__init__(self, node.et.text, node.et.get('version'),
-                             None, node.et.get('md5'), None,
+                             None, node.et.get('sha256'), None,
                              INSTALLED, node.et.get('auto') == 'true',
                              None, arch)
diff --git a/schema/dbsfed.xsd b/schema/dbsfed.xsd
index fbed8e98..7e2eb1da 100644
--- a/schema/dbsfed.xsd
+++ b/schema/dbsfed.xsd
@@ -2248,10 +2248,10 @@
             </documentation>
           </annotation>
         </attribute>
-        <attribute name="md5" type="string" use="optional">
+        <attribute name="sha256" type="string" use="optional">
           <annotation>
             <documentation>
-              md5 sum of the package.
+              sha256 sum of the package.
             </documentation>
           </annotation>
         </attribute>
-- 
2.11.0


