[Rpm-maint] [rpm-software-management/rpm] Require creation time to be unique and hashed (PR #1912)
Michael Schroeder
notifications at github.com
Wed Feb 16 08:35:50 UTC 2022
@mlschroe commented on this pull request.
> @@ -473,16 +473,15 @@ static int pgpPrtSubType(const uint8_t *h, size_t hlen, pgpSigType sigtype,
for (i = 1; i < plen; i++)
pgpPrtVal(" ", pgpKeyServerPrefsTbl, p[i]);
break;
- case PGPSUBTYPE_SIG_CREATE_TIME:
+ case PGPSUBTYPE_SIG_CREATE_TIME: /* signature creation time */
+ if (plen-1 != sizeof(_digp->time))
+ break; /* other lengths not understood */
+ if (_digp->saved & PGPDIG_SAVED_TIME)
+ return 1; /* duplicate timestamps not allowed */
Oh, but that means that the pubkey parser will no longer return the creation time of the first signature, but instead that of the last signature. I.e. the release element of the created pubkey database entries will be different. This is a very visible change for no good reason.
I think you should not try to repurpose the PGPDIG_SAVED_TIME flag for your uniqueness test but instead use a new flag which will be cleared after each signature.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1912#discussion_r807669601
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/1912/review/884132846 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220216/4e23b376/attachment.html>
More information about the Rpm-maint
mailing list