Hi, since Steve McIntyre seems to be busy, i try to answer the general questions about jigdo.
The files .jigdo and .template get created by xorriso along with the creation of the .iso image file. The MD5s in .jigdo and .template are used for bringing together the file items in both formats. .template has a byte interval gap and a MD5, .jigdo has a MD5 and a package path, beginning at "pool/". Like (after gunzip *.jigdo): FexKzYyIVG2rRb1UjUKj8Q=Debian:pool/contrib/b/biomaj-watcher/biomaj-watcher_1.2.2-4_all.deb Insofar the MD5 (here as base64 string "FexKzYyIVG2rRb1UjUKj8Q") is only an opaque identifier. But at other occasions it is indeed used as error detector. See bug #772110 where jigdo-file reports a damaged download of a .deb, but is just not able to correct the problem on its own. Neither secure nor perfect. But better than no hint at all, i'd say. In general, a change of the opaque identifier would demand changes in libjte, which produces .jigdo and .template under control of xorriso, and in jigdo-file, which would then have to learn to re-compute the identifier of a package for its imperfect check for glitches in mirror server or transport. Changes in libjte would probably my realm. I am ready to follow tangible instructions. Best relying on a checksum that it can already compute: (MD5), (SHA1), SHA256, SHA512. But given Steve McIntyre's silence on the discussion of bug #887831, which is actually about beefing up jigdo-lite's initial and final tests for success to the strength of SHA512SUMS.sign and SHA512SUMS, i am pessimistic that a change from MD5 to some part of the SHA256 will happen soon in jigdo-lite/file. (He would also have to package the new libjte version.) Further it would create the need for a legacy version of jigdo-lite/file for MD5-based jigdos which are available in the archive: http://cdimage.debian.org/mirror/cdimage/archive/ (Between 6 and 9 there are no iso-dvd sub directories. Since 9.2. they are back.) ------------------------------------------------------------------- Ansgar wrote: > From looking, I believe it is debian-cd's tools/grab_md5 Looking at https://sources.debian.org/src/debian-cd/3.1.26/tools/grab_md5/ i think that line 105 could get changed from MD5=`echo $ENTRY | /bin/sed 's/:.*$//g'` to something which uses /usr/bin/md5sum on the package file, rather than inquiring the package information. I believe to see in line 107 printf '%s %12.12s %s\n' $MD5 $SIZE $PATH the production of a line for the input file of xorrisofs option -md5-list, as described in man xorrisofs: "Each designated file is represented in the .md5 file by a single text line: MD5 as 32 hex digits, 2 blanks, size as 12 decimal digits or blanks, 2 blanks, symbolic file address " So $MD5 should be filled with the first word of the output of md5sum. (Now who can guess where to find the path to the package file .deb ?) Have a nice day :) Thomas
