Hi! On Sun, 2025-11-30 at 18:54:36 +0100, Guillem Jover wrote: > Control: tag -1 patch
> On Wed, 2022-07-27 at 21:39:30 +0200, Guillem Jover wrote: > > On Tue, 2022-07-26 at 14:24:41 -0500, Tim McConnell wrote: > > > When running this command `apt-get dist-upgrade -y -m` > > > The problem here in the end was (confirmed off-BTS) that > > apt-listdifferences is installed on the system, which downloads the > > source packages for binary packages being upgraded to debdiff them. > > But those source packages had been signed with a weak algorithm, which > > is rejected by dpkg-source (even though that command defaults to > > warning only). > > > > Because when downloading the source packages from the archive, they > > have switched their trust anchor from the uploader to the archive, > > which takes care of key (re)signing, expiration and rotation, checking > > the signatures in the .dsc can be more confusing than helpful. (This > > would be a different matter if the .dsc reached the system through > > some other means such as scp or sneaker net or whatever). > > > > So, ideally apt-listdifferences would call debdiff and request for it > > to pass --no-check to dpkg-source. But there is currently no such > > option. I'll file another report, and block this one with that other > > one. > > The recently uploaded devscripts now includes support for --no-check > in debdiff. So we can use that to fix this report. Sorry, and then forgot to attach the actual patch. :/ Thanks, Guillem
From 57f6345f12f839524aa9fff3e2a112062b0447d2 Mon Sep 17 00:00:00 2001 From: Guillem Jover <[email protected]> Date: Sun, 30 Nov 2025 18:48:29 +0100 Subject: [PATCH] Call debdiff with --no-check We have already verified the source via the archive trust anchor, and verifying them again from their .dsc signatures might fail due to the certificates that signed them expiring, or getting removed from the keyrings, key rotation or project member changes. We require a new enough devscripts version that supports the --no-check option for debdiff. Closes: #1016087 --- apt-listdifferences | 2 +- debian/control | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apt-listdifferences b/apt-listdifferences index 564c80e..0b5ff6d 100755 --- a/apt-listdifferences +++ b/apt-listdifferences @@ -122,7 +122,7 @@ for source in sorted(sources, key=sources.get): installed_dsc = os.path.join(dstdir, '%s_%s.dsc'%(source, oldversion)) candidate_dsc = os.path.join(dstdir, '%s_%s.dsc'%(source, newversion)) if os.path.exists(installed_dsc): - command = (debdiff_command, installed_dsc, candidate_dsc) + command = (debdiff_command, '--no-check', installed_dsc, candidate_dsc) process = subprocess.Popen(command, stdout=subprocess.PIPE) debdiff = process.communicate()[0] diff += bytes('\n', 'utf-8') diff --git a/debian/control b/debian/control index 6605198..e8c4a49 100644 --- a/debian/control +++ b/debian/control @@ -16,7 +16,7 @@ Built-Using: ${built:Using}, Depends: ${misc:Depends}, most | less, - devscripts, + devscripts (>= 2.25.28~), python3, python3-apt, python3-debian, -- 2.51.0
