From 24fc775e6a64dbb80c8d9ef823737973284d7ec5 Mon Sep 17 00:00:00 2001
From: David Kalnischkies <david@kalnischkies.de>
Date: Wed, 28 Oct 2015 20:36:20 +0100
Subject: [PATCH] include hashsum for compressed patch file in .diff/Index

APT prefers to download files it has hashes for to check it actually got
the file it wanted instead of some man-in-the-middled file (by an attacker
or simply by a webportal returning a login mask for every request).
Giving it the hash of the compressed file saves APT from needing to
uncompress the patch before being able to verify its integrity.

Signed-off-by: David Kalnischkies <david@kalnischkies.de>
Signed-off-by: Joerg Jaspert <joerg@debian.org>
---
 dak/generate_index_diffs.py | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/dak/generate_index_diffs.py b/dak/generate_index_diffs.py
index 6fe9436a..84513713 100755
--- a/dak/generate_index_diffs.py
+++ b/dak/generate_index_diffs.py
@@ -127,10 +127,13 @@ class Updates:
                         x = f.readline()
                         if not x or x[0] != " ": break
                         l = x.split()
-                        if not self.history.has_key(l[2]):
-                            self.history[l[2]] = [None,None]
-                            self.history_order.append(l[2])
-                        self.history[l[2]][ind] = (l[0], int(l[1]))
+                        fname = l[2]
+                        if fname.endswith('.gz'):
+                            fname = fname[:-3]
+                        if not self.history.has_key(fname):
+                            self.history[fname] = [None,None,None]
+                            self.history_order.append(fname)
+                        self.history[fname][ind] = (l[0], int(l[1]))
                     return x
 
                 while x:
@@ -148,6 +151,10 @@ class Updates:
                         x = read_hashs(1,f,self)
                         continue
 
+                    if l[0] == "SHA1-Download:":
+                        x = read_hashs(2,f,self)
+                        continue
+
                     if l[0] == "Canonical-Name:" or l[0]=="Canonical-Path:":
                         self.can_path = l[1]
 
@@ -183,6 +190,10 @@ class Updates:
         out.write("SHA1-Patches:\n")
         for h in l:
             out.write(" %s %7d %s\n" % (hs[h][1][0], hs[h][1][1], h))
+        out.write("SHA1-Download:\n")
+        for h in l:
+            if hs[h][2]:
+                out.write(" %s %7d %s.gz\n" % (hs[h][2][0], hs[h][2][1], h))
 
 def create_temp_file(r):
     f = tempfile.TemporaryFile()
@@ -270,7 +281,11 @@ def genchanges(Options, outdir, oldfile, origfile, maxdiffs = 56):
         difsizesha1 = sizesha1(difff)
         difff.close()
 
-        upd.history[patchname] = (oldsizesha1, difsizesha1)
+        difffgz = open(difffile + ".gz", "r")
+        difgzsizesha1 = sizesha1(difffgz)
+        difffgz.close()
+
+        upd.history[patchname] = (oldsizesha1, difsizesha1, difgzsizesha1)
         upd.history_order.append(patchname)
 
         upd.filesizesha1 = newsizesha1
-- 
2.39.2