Skip Menu |

This queue is for tickets about the PPM-Make CPAN distribution.

Report information
The Basics
Id: 114769
Status: resolved
Priority: 0/
Queue: PPM-Make
People
Owner: Nobody in particular
Requestors: Ralf.Neubauer [...] wido.bv.aok.de
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri May 27 10:39:39 2016 Ralf.Neubauer [...] wido.bv.aok.de - Ticket created
Subject: More flexible checksum check needed to cope with braindead proxies
Date: Fri, 27 May 2016 14:39:25 +0000
To: "bug-PPM-Make [...] rt.cpan.org" <bug-PPM-Make [...] rt.cpan.org>
From: "Neubauer, Ralf" <ralf.neubauer [...] wido.bv.aok.de>
Hi, as discussed in #113615 ( https://rt.cpan.org/Ticket/Display.html?id=113615 ), sadly there are HTTP proxies that unpack .tar.gz and .tgz files -- of course the filename is preserved, you get foo.tar.gz with the content of foo.tar . PPM::Make::Util::verifyMD5() only checks the checksum of the compressed file, which fails, if the content is uncompressed: if ($should = $cksum->{$file}->{md5}) { my $test = ($is eq $should); printf qq{ Checksum for "$file" is %s\n}, ($test) ? 'OK.' : 'NOT OK.'; return $test; } This patch does the trick: --- lib\PPM\Make\Util.pm.orig 2014-07-09 13:02:42.657853200 +0200 +++ lib\PPM\Make\Util.pm 2016-05-27 13:12:51.628841700 +0200 @@ -157,6 +157,9 @@ close $fh; if ($should = $cksum->{$file}->{md5}) { my $test = ($is eq $should); + if (!$test && ($should = $cksum->{$file}->{'md5-ungz'})) { + $test = ($is eq $should); + } printf qq{ Checksum for "$file" is %s\n}, ($test) ? 'OK.' : 'NOT OK.'; return $test; Ralf
  Wed Jun 01 09:25:15 2016 Ralf.Neubauer [...] wido.bv.aok.de - Correspondence added
Subject: RE: [rt.cpan.org #114769] AutoReply: More flexible checksum check needed to cope with braindead proxies
Date: Wed, 1 Jun 2016 13:24:59 +0000
To: "bug-PPM-Make [...] rt.cpan.org" <bug-PPM-Make [...] rt.cpan.org>
From: "Neubauer, Ralf" <ralf.neubauer [...] wido.bv.aok.de>
Hi, the fix in [rt.cpan.org #113615] added *-ungz checksums. Some of the md5-ungz checksums are missing, but the sha256-ungz checksums seem to be complete. Apparently MD5 checksums fell a bit out of use. For this reason I ported my installation of PPM-Make to support SHA256 -- I completely removed the MD5 support, but they could also coexist, if this is important (just leave sub verifyMD {} in the code and test with verifyMD5($cksum, $to) || verifySHA256($cksum, $to)). As Digest::SHA is a core module, I hope there will be no dependency problems, but I didn't look very far or at older versions. Ralf --- lib\PPM\Make.pm.orig 2012-02-02 14:15:37.000000000 +0100 +++ lib\PPM\Make.pm 2016-05-10 14:02:28.864072100 +0200 @@ -939,11 +954,11 @@ my $cksum; unless ($cksum = load_cs($CS)) { $self->{fetch_error} = qq{Checksums check disabled - cannot load $CS file.}; return; } - unless (verifyMD5($cksum, $to)) { + unless (verifySHA256($cksum, $to)) { $self->{fetch_error} = qq{Checksums check for "$to" failed.}; return; } unlink $CS or warn qq{Cannot unlink "$CS": $!\n}; return $to; --- lib\PPM\Make\Util.pm.orig 2014-07-09 13:02:42.657853200 +0200 +++ lib\PPM\Make\Util.pm 2016-05-08 13:12:51.628841700 +0200 @@ -3,11 +3,11 @@ use warnings; use base qw(Exporter); use File::Basename; use Safe; use XML::Parser; -use Digest::MD5; +use Digest::SHA; use Config; use CPAN::DistnameInfo; use File::Spec; use PPM::Make::Config qw(WIN32 HAS_CPAN HAS_PPM HAS_MB ACTIVEPERL); use HTTP::Tiny; @@ -34,11 +34,11 @@ @url_list, $ERROR); $protocol = qr{^(http|ftp)://}; $ext = qr{\.(tar\.gz|tgz|tar\.Z|zip)}; @url_list = url_list(); -my @exports = qw(load_cs verifyMD5 parse_version $ERROR +my @exports = qw(load_cs verifySHA256 parse_version $ERROR is_core is_ap_core url_list trim parse_ppd parse_abstract ppd2cpan_version cpan2ppd_version tempfile file_to_dist cpan_file fix_path mirror @@ -129,39 +129,42 @@ return; } return $cksum; } -=item verifyMD5 +=item verifySHA256 Verify a CHECKSUM for a $file - my $ok = verifyMD5($cksum, $file); + my $ok = verifySHA256($cksum, $file); print "$file checked out OK" if $ok; =cut -sub verifyMD5 { +sub verifySHA256 { my ($cksum, $file) = @_; my ($is, $should); open (my $fh, '<', $file); unless ($fh) { $ERROR = qq{Cannot open "$file": $!}; return; } binmode($fh); - unless ($is = Digest::MD5->new->addfile($fh)->hexdigest) { + unless ($is = Digest::SHA->new(256)->addfile($fh)->hexdigest) { $ERROR = qq{Could not compute checksum for "$file": $!}; close $fh; return; } close $fh; - if ($should = $cksum->{$file}->{md5}) { + if ($should = $cksum->{$file}->{sha256}) { my $test = ($is eq $should); - printf qq{ Checksum for "$file" is %s\n}, + if (!$test && ($should = $cksum->{$file}->{'sha256-ungz'})) { + $test = ($is eq $should); + } + printf qq{ SHA256-Checksum for "$file" is %s\n}, ($test) ? 'OK.' : 'NOT OK.'; return $test; } else { $ERROR = qq{Checksum data for "$file" not present.}; return; } }
  Wed Jun 01 14:40:20 2016 ishigaki [...] cpan.org - Correspondence added
Thanks. Slightly modified and applied in the master (both verifyMD5 and verifySHA256 are kept): https://github.com/charsbar/ppm-make/commit/ae31fc6ba29517a4e5e29b5ad8661c745ade6f4e On Wed Jun 01 22:25:15 2016, Ralf.Neubauer@wido.bv.aok.de wrote: Show quoted text
> Hi, > > the fix in [rt.cpan.org #113615] added *-ungz checksums. Some of the > md5-ungz checksums are missing, but the sha256-ungz checksums seem to > be complete. > > Apparently MD5 checksums fell a bit out of use. For this reason I > ported my installation of PPM-Make to support SHA256 -- I completely > removed the MD5 support, but they could also coexist, if this is > important (just leave sub verifyMD {} in the code and test with > verifyMD5($cksum, $to) || verifySHA256($cksum, $to)). > > As Digest::SHA is a core module, I hope there will be no dependency > problems, but I didn't look very far or at older versions. > > Ralf > > > --- lib\PPM\Make.pm.orig 2012-02-02 14:15:37.000000000 +0100 > +++ lib\PPM\Make.pm 2016-05-10 14:02:28.864072100 +0200 > @@ -939,11 +954,11 @@ > my $cksum; > unless ($cksum = load_cs($CS)) { > $self->{fetch_error} = qq{Checksums check disabled - cannot load > $CS file.}; > return; > } > - unless (verifyMD5($cksum, $to)) { > + unless (verifySHA256($cksum, $to)) { > $self->{fetch_error} = qq{Checksums check for "$to" failed.}; > return; > } > unlink $CS or warn qq{Cannot unlink "$CS": $!\n}; > return $to; > --- lib\PPM\Make\Util.pm.orig 2014-07-09 13:02:42.657853200 +0200 > +++ lib\PPM\Make\Util.pm 2016-05-08 13:12:51.628841700 +0200 > @@ -3,11 +3,11 @@ > use warnings; > use base qw(Exporter); > use File::Basename; > use Safe; > use XML::Parser; > -use Digest::MD5; > +use Digest::SHA; > use Config; > use CPAN::DistnameInfo; > use File::Spec; > use PPM::Make::Config qw(WIN32 HAS_CPAN HAS_PPM HAS_MB ACTIVEPERL); > use HTTP::Tiny; > @@ -34,11 +34,11 @@ > @url_list, $ERROR); > $protocol = qr{^(http|ftp)://}; > $ext = qr{\.(tar\.gz|tgz|tar\.Z|zip)}; > @url_list = url_list(); > > -my @exports = qw(load_cs verifyMD5 parse_version $ERROR > +my @exports = qw(load_cs verifySHA256 parse_version $ERROR > is_core is_ap_core url_list > trim parse_ppd parse_abstract > ppd2cpan_version cpan2ppd_version tempfile > file_to_dist cpan_file fix_path > mirror > @@ -129,39 +129,42 @@ > return; > } > return $cksum; > } > > -=item verifyMD5 > +=item verifySHA256 > > Verify a CHECKSUM for a $file > > - my $ok = verifyMD5($cksum, $file); > + my $ok = verifySHA256($cksum, $file); > print "$file checked out OK" if $ok; > > =cut > > -sub verifyMD5 { > +sub verifySHA256 { > my ($cksum, $file) = @_; > my ($is, $should); > open (my $fh, '<', $file); > unless ($fh) { > $ERROR = qq{Cannot open "$file": $!}; > return; > } > binmode($fh); > - unless ($is = Digest::MD5->new->addfile($fh)->hexdigest) { > + unless ($is = Digest::SHA->new(256)->addfile($fh)->hexdigest) { > $ERROR = qq{Could not compute checksum for "$file": $!}; > close $fh; > return; > } > close $fh; > - if ($should = $cksum->{$file}->{md5}) { > + if ($should = $cksum->{$file}->{sha256}) { > my $test = ($is eq $should); > - printf qq{ Checksum for "$file" is %s\n}, > + if (!$test && ($should = $cksum->{$file}->{'sha256-ungz'})) { > + $test = ($is eq $should); > + } > + printf qq{ SHA256-Checksum for "$file" is %s\n}, > ($test) ? 'OK.' : 'NOT OK.'; > return $test; > } > else { > $ERROR = qq{Checksum data for "$file" not present.}; > return; > } > } > >
  Wed Jun 01 14:40:21 2016 The RT System itself - Status changed from 'new' to 'open'
  Wed Jun 01 14:40:26 2016 ishigaki [...] cpan.org - Status changed from 'open' to 'patched'
  Wed Jun 01 14:53:34 2016 ishigaki [...] cpan.org - Correspondence added
Closed as 0.9903 with this fix was released. Thanks.
  Wed Jun 01 14:53:35 2016 ishigaki [...] cpan.org - Status changed from 'patched' to 'resolved'