Anthony Towns <a...@erisian.com.au> writes:
> (I'm not subscribed to this list, so go ahead and Cc me)
>
> On Thu, Mar 4, 2010 at 02:05, Peter Samuelson <pe...@p12n.org> wrote:
>> [Wouter Verhelst]
>> > I must say I was somewhat surprised by these numbers. Out of 2483
>> > packages installed on my laptop, 2340 install md5sums.
>> The surprising part, perhaps, is that dpkg itself didn't just generate
>> the other 143 md5sums files at installation time.
>
> The easy (and usually correct) reason for things like that is "dpkg's
> source is scary".
>
>> I suggested this a long time ago and of course was met with "so where's
>> your patch?" Of course I was not willing to do the work.
>
> See? Anyway, my patch is attached. It makes dpkg create a "foo.hashes"
> when unpacking foo, whose contents looks like:
>
> MD5:32b5e22f8e336b2f34e0dd87652e6dfc usr/share/doc/mawk/changelog.gz
> MD5:87a34f1f55ac3f7fec2c7fc82565e8eb usr/share/doc/mawk/changelog.Debian.gz
> ...
>
> Verification is a matter of something like:
>
> $ cat /var/lib/dpkg/info/*.hashes | sed -n 's/^MD5://p' | (cd /;
> md5sum -c) | grep -v ': OK$'
>
> There's an option (--hash) that you can set to "none" to avoid
> spending time calculating md5s if you so choose. Adding support for
> sha1/sha256/whatever should be straightforward; afaik dpkg only has
> code for md5 already built in though (though just invoking
> /usr/bin/sha1sum etc would be an option of course).
>
> Of course another option is just to pull the md5sums directly from the deb:
>
> $ ar p /var/cache/apt/archives/ifupdown_0.6.9_i386.deb data.tar.gz |
> tar --to-command='printf "%s%s\n" "$(md5sum - | sed s/-$//)"
> "${TAR_FILENAME#./}"' -xzf - |
> diff - /var/lib/dpkg/info/ifupdown.md5sums
> 1,3d0
> < 346208729633adf45e2fa3f2bd3b19c6 etc/init.d/ifupdown
> < c6fffaae03271f1641920105ce68796b etc/init.d/ifupdown-clean
> < fab851ca87c5deb9d6f665e610184648 etc/default/ifupdown
> 4a2
>> a0f11cf1809a468c49b72e0aa0a8e26b sbin/ifup
>
> (md5sums doesn't normally list conffiles, but does list hardlinks; the
> above command does the opposite)
>
>> But
>> fundamentally, shipping a md5sums file is really just a tradeoff in
>> download size vs. installation speed, not unlike gzip vs. bzip2.
>
> Advantages of doing in when unpacking:
> - choice of checksum is the admin's decision
> - we can quickly roll out support for sha1/sha256/crc/... checksums
> by just changing one package
> - admin has hashes of exactly what was unpacked, no matter the source
> - no concerns about bugs in dh_md5sums or similar resulting in bad checksums
>
> Advantages of doing it when uploading:
> - provides some sort of double check of what's being uploaded
> - saves CPU time on users' machines
- avoids having bad checksums due to the user having bad hardware
(which is one big use case of the files)
> For me, I'd rather have dpkg generate the hashes.
>
> Cheers,
> aj
>
> --
> Anthony Towns <a...@erisian.com.au>
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87r5nxou09....@frosties.localdomain
