Discussion:
[Bug 1692489] Re: [Feature Request] pull-debian-source should verify the checksum of the files it downloads
Seth Arnold
2017-05-22 23:10:18 UTC
Permalink
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of MOTU,
which is subscribed to ubuntu-dev-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1692489

Title:
[Feature Request] pull-debian-source should verify the checksum of the
files it downloads

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-dev-tools/+bug/1692489/+subscriptions
--
universe-bugs mailing list
universe-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/universe-bugs
Dan Streetman
2018-03-01 14:26:20 UTC
Permalink
I think you have this backwards, the current pull-debian-source does
verify its dsc signature while pull-lp-source does *not* verify its dsc
signature (this is done in ubuntutools/archive.py). However, it does
verify the checksum (listed in the dsc file) for all other source files
downloaded (again in ubuntutools/archive.py).

Additionally my pull-*-* rewrite in bug 1453330 changes archive.py to
verify the signature of dsc files for debian and ubuntu (and UCA), as
well as continuing to verify the checksum of source files downloaded.

Are there a specific source code lines that you are looking at where you
disagree with my assessment?
--
You received this bug notification because you are a member of MOTU,
which is subscribed to ubuntu-dev-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1692489

Title:
[Feature Request] pull-debian-source should verify the checksum of the
files it downloads

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-dev-tools/+bug/1692489/+subscriptions
--
universe-bugs mailing list
universe-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/
Loading...