Hi! First off, with the reproducible and rebootstrap efforst rebuilding stuff with latest dpkg, it's really fast to catch regressions, that's very helpful, thanks! And second, also thanks for tracking this down. :)
On Wed, 2016-05-04 at 19:28:40 +0300, Niko Tyni wrote: > Package: dpkg > Severity: serious > Version: 1.18.5 > X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org > There are a number of packages in sid can't currently be unpacked with > the default dpkg-source options. > > dpkg-source: error: source package uses only weak checksums > This happens since dpkg 1.18.5, apparently > > > https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?id=040973c7a1e50b78ef042ef5ffbfff0440c24700 > > Error out on source packages without any strong digests in > Dpkg::Source::Package, used by dpkg-source --extract, which can still > be disabled with --no-check. > > With about 2.5% of the archive test built on tests.reproducible-builds.org > with a newer > dpkg, we've caught at least […] > which would give a linear estimate of roughly 400 broken packages > in total. > > A mass bug filing (at RC level) seems to be in order, but maybe dpkg > should just warn for a while until packages get fixed? I assume the > Debian buildds don't use --no-check, so binNMUs of affected packages > are probably broken at the moment? > > Tentatively setting at 'serious' but feel free to adjust/close if this > is all going as designed. No, serious is right, this was over eagerness from my part. The signature checks are non-fatal, and not being able to verify the sigs is way worse security wise than having weak checksums (and that's common for revoked/expired/retired keys), so this needs to be a warning ineed. I'm fixing this for 1.18.7. Thanks, Guillem
