[Bug 1098752] Re: apt-get download checks sha256 hashes when sha512 hashes are available

[David Kalnischkies]

Thanks for the report! Thankfully not that big of an issue as SHA512
isn't widely adopted in the APT-world and SHA256 "good enough" for now.

apt-pkg/acquire-item.cc has the same issue in pkgAcqArchive::QueueNext()
and therefore effecting all downloads expect the ones where a hash is
forced. Theory says that this code should be in one central place rather
than copied (as you can't force a hash for download this way) …

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1098752

Title:
  apt-get download checks sha256 hashes when sha512 hashes are available

Status in “apt” package in Ubuntu:
  New

Bug description:
  While auditing some apt code, I noticed that apt-get download uses
  SHA-256 hashes even when SHA-512 hashes are available. From
  DoDownload() in cmdline/apt-get.cc:

        // get the most appropriate hash
        HashString hash;
        if (rec.SHA512Hash() != "")
           hash = HashString("sha512", rec.SHA512Hash());
        if (rec.SHA256Hash() != "")
           hash = HashString("sha256", rec.SHA256Hash());
        else if (rec.SHA1Hash() != "")
           hash = HashString("sha1", rec.SHA1Hash());
        else if (rec.MD5Hash() != "")
           hash = HashString("md5", rec.MD5Hash());
        // get the file
        new pkgAcqFile(&Fetcher, uri, hash.toStr(), (*Ver)->Size, descr, Pkg.Name(), ".");

  The conditional for rec.SHA256Hash() should use an else if statement.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1098752/+subscriptions