On Mon, 8 Sep 2003, Matt Zimmerman wrote:
> > Any sort of query during install isn't going to work so well without much
> > bigger changes. Mostly this has to do with the way multiple instances of
> > the same package are handled, the various origins are not uniquified and
> > it cannot retain the md5sum information to figure out what makes sense.
> Hmm, wait, I may have misunderstood here. Does this mean that if two
> packages will be considered equivalent even if their md5sums are different?
> If so, that is a serious problem for any implementation, prompting or no, is
> it not?
That is correct. It is not a serious problem in practice because packages
with the same version number are generally going to be the same.
However when dealing with security issues you can't just gloss over a
problem like that, that's why I said I don't know how you'd fix it. I
don't think you can fix it without changing dpkg to retain the md5sum in
the status file, and even if you do that ideas like debsums break it..
This is also why you sign off on the security at update time, because even
a single insecure or rough site can have very interesting effects on the
meta data within the cache. The retry algorithms are just one interesting
effect that's possible..