Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#807669: dh-strip-nondeterminism: Breaks some jar file
242 views
Skip to first unread message
Sophie Brun
Dec 11, 2015, 9:30:05 AM12/11/15
to
Package: dh-strip-nondeterminism
Version: 0.014-1
Severity: normal
When building the package dirbuster (for kali), dh_strip_nondeterminism breaks the jar file.
The package is built but when I tried to launch the program, it failed with this error:
Exception in thread "main" java.lang.SecurityException: Invalid signature file digest for Manifest main attributes
at sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:287)
at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:240)
at java.util.jar.JarVerifier.processEntry(JarVerifier.java:274)
at java.util.jar.JarVerifier.update(JarVerifier.java:228)
at java.util.jar.JarFile.initializeVerifier(JarFile.java:348)
at java.util.jar.JarFile.getInputStream(JarFile.java:415)
at sun.misc.URLClassPath$JarLoader$2.getInputStream(URLClassPath.java:775)
at sun.misc.Resource.cachedInputStream(Resource.java:77)
at sun.misc.Resource.getByteBuffer(Resource.java:160)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:436)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at com.sittinglittleduck.DirBuster.Start.main(Start.java:51)
Disabling dh_strip_nondeterminism in debian/rules (via override_dh_...)
fixed it.
The source of package dirbuster can be found:
git://git.kali.org/packages/dirbuster.git
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0-rc3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages dh-strip-nondeterminism depends on:
ii debhelper 9.20151126
ii libfile-stripnondeterminism-perl 0.014-1
ii libtimedate-perl 2.3000-2
ii perl 5.20.2-6
dh-strip-nondeterminism recommends no packages.
dh-strip-nondeterminism suggests no packages.
-- no debconf information
Version: 0.014-1
Severity: normal
When building the package dirbuster (for kali), dh_strip_nondeterminism breaks the jar file.
The package is built but when I tried to launch the program, it failed with this error:
Exception in thread "main" java.lang.SecurityException: Invalid signature file digest for Manifest main attributes
at sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:287)
at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:240)
at java.util.jar.JarVerifier.processEntry(JarVerifier.java:274)
at java.util.jar.JarVerifier.update(JarVerifier.java:228)
at java.util.jar.JarFile.initializeVerifier(JarFile.java:348)
at java.util.jar.JarFile.getInputStream(JarFile.java:415)
at sun.misc.URLClassPath$JarLoader$2.getInputStream(URLClassPath.java:775)
at sun.misc.Resource.cachedInputStream(Resource.java:77)
at sun.misc.Resource.getByteBuffer(Resource.java:160)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:436)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at com.sittinglittleduck.DirBuster.Start.main(Start.java:51)
Disabling dh_strip_nondeterminism in debian/rules (via override_dh_...)
fixed it.
The source of package dirbuster can be found:
git://git.kali.org/packages/dirbuster.git
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0-rc3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages dh-strip-nondeterminism depends on:
ii debhelper 9.20151126
ii libfile-stripnondeterminism-perl 0.014-1
ii libtimedate-perl 2.3000-2
ii perl 5.20.2-6
dh-strip-nondeterminism recommends no packages.
dh-strip-nondeterminism suggests no packages.
-- no debconf information
Andrew Ayer
Dec 13, 2015, 6:40:03 PM12/13/15
to
Hi Sophie,
I took a look at dirbuster, and it looks like it doesn't actually build
anything; instead it just installs a signed .jar that is shipped with
the source, and strip-nondeterminism's modifications break the
signature.
Therefore, my recommendation is that you continue to disable
strip-nondeterminism in debian/rules. Since dirbuster doesn't actually
build anything, there's no nondeterminism to be stripped :-)
Let me know if I've misread this and there is actually some building
being done here.
Cheers,
Andrew
I took a look at dirbuster, and it looks like it doesn't actually build
anything; instead it just installs a signed .jar that is shipped with
the source, and strip-nondeterminism's modifications break the
signature.
Therefore, my recommendation is that you continue to disable
strip-nondeterminism in debian/rules. Since dirbuster doesn't actually
build anything, there's no nondeterminism to be stripped :-)
Let me know if I've misread this and there is actually some building
being done here.
Cheers,
Andrew
Raphael Hertzog
Dec 14, 2015, 3:10:03 AM12/14/15
to
Control: retitle -1 dh-strip-nondeterminism: breaks signed jar files
Hello Andrew,
On Sun, 13 Dec 2015, Andrew Ayer wrote:
> Let me know if I've misread this and there is actually some building
> being done here.
Your analysis is correct but dh_strip_nondeterminisn should detect the
signature and avoid messing up with the file in that case.
That's what this bug is about.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Hello Andrew,
On Sun, 13 Dec 2015, Andrew Ayer wrote:
> Let me know if I've misread this and there is actually some building
> being done here.
signature and avoid messing up with the file in that case.
That's what this bug is about.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Raphael Hertzog
Jan 25, 2016, 2:50:05 PM1/25/16
to
Control: severity -1 important
On Mon, 14 Dec 2015, Raphael Hertzog wrote:
> Your analysis is correct but dh_strip_nondeterminisn should detect the
> signature and avoid messing up with the file in that case.
>
> That's what this bug is about.
And we got another case where dh_strip_nondeterminism actually broke a
working package... https://bugs.kali.org/view.php?id=3019
Is there anything we can do to ensure that this bug gets a timely fix?
On Mon, 14 Dec 2015, Raphael Hertzog wrote:
> Your analysis is correct but dh_strip_nondeterminisn should detect the
> signature and avoid messing up with the file in that case.
>
> That's what this bug is about.
working package... https://bugs.kali.org/view.php?id=3019
Is there anything we can do to ensure that this bug gets a timely fix?
Jérémy Bobbio
Jan 26, 2016, 9:10:03 AM1/26/16
to
Control: tag -1 + patch
Raphael Hertzog:
in my Perl skills to commit directly though.
--
Lunar .''`.
lu...@debian.org : :Ⓐ : # apt-get install anarchism
`. `'`
`-
Raphael Hertzog:
> On Mon, 14 Dec 2015, Raphael Hertzog wrote:
> > Your analysis is correct but dh_strip_nondeterminisn should detect the
> > signature and avoid messing up with the file in that case.
> >
> > That's what this bug is about.
>
> And we got another case where dh_strip_nondeterminism actually broke a
> working package... https://bugs.kali.org/view.php?id=3019
>
> Is there anything we can do to ensure that this bug gets a timely fix?
Attached is a patch which I think could work. I'm not confident enough
> > Your analysis is correct but dh_strip_nondeterminisn should detect the
> > signature and avoid messing up with the file in that case.
> >
> > That's what this bug is about.
>
> And we got another case where dh_strip_nondeterminism actually broke a
> working package... https://bugs.kali.org/view.php?id=3019
>
> Is there anything we can do to ensure that this bug gets a timely fix?
in my Perl skills to commit directly though.
--
Lunar .''`.
lu...@debian.org : :Ⓐ : # apt-get install anarchism
`. `'`
`-
Sophie Hertzog
Jan 27, 2016, 4:10:03 AM1/27/16
to
On Tue, 26 Jan 2016 15:07:33 +0100 Jeremy Bobbio <lu...@debian.org> wrote:
> Attached is a patch which I think could work. I'm not confident enough
> in my Perl skills to commit directly though.
I tested your patch and I confirm that it works fine for us.
> Attached is a patch which I think could work. I'm not confident enough
> in my Perl skills to commit directly though.
thanks!
Mattia Rizzolo
Jan 27, 2016, 6:20:02 AM1/27/16
to
On Tue, Jan 26, 2016 at 03:07:33PM +0100, Jérémy Bobbio wrote:
> Control: tag -1 + patch
>
> Raphael Hertzog:
> > On Mon, 14 Dec 2015, Raphael Hertzog wrote:
> > > Your analysis is correct but dh_strip_nondeterminisn should detect the
> > > signature and avoid messing up with the file in that case.
> > >
> > > That's what this bug is about.
> >
> > And we got another case where dh_strip_nondeterminism actually broke a
> > working package... https://bugs.kali.org/view.php?id=3019
> >
> > Is there anything we can do to ensure that this bug gets a timely fix?
>
> Attached is a patch which I think could work. I'm not confident enough
> in my Perl skills to commit directly though.
Andrew, can you please look at this?
> Control: tag -1 + patch
>
> Raphael Hertzog:
> > On Mon, 14 Dec 2015, Raphael Hertzog wrote:
> > > Your analysis is correct but dh_strip_nondeterminisn should detect the
> > > signature and avoid messing up with the file in that case.
> > >
> > > That's what this bug is about.
> >
> > And we got another case where dh_strip_nondeterminism actually broke a
> > working package... https://bugs.kali.org/view.php?id=3019
> >
> > Is there anything we can do to ensure that this bug gets a timely fix?
>
> Attached is a patch which I think could work. I'm not confident enough
> in my Perl skills to commit directly though.
TBH, this kind of bug would fit my definition of severity:serious, it's
not nice to break other packages :)
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: http://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
0 new messages