Bug#542834: cdrom-checker: MD5 check of the CD appears to abort on detecting the first MD5 mismatch.

To: <kibi@debian.org>, <542834@bugs.debian.org>
Subject: Bug#542834: cdrom-checker: MD5 check of the CD appears to abort on detecting the first MD5 mismatch.
From: <Ken.Fuchs@bench.com>
Date: Tue, 11 Mar 2014 16:18:56 -0500
Message-id: <[🔎] D8DCBF087600CF439801D74F28CAAC4F4803FFEE5D@MN-EX01.bench.com>
Reply-to: <Ken.Fuchs@bench.com>, 542834@bugs.debian.org
In-reply-to: <[🔎] 20140311204752.GA6311@mraw.org>
References: <AA28F077645B324881335614E4F7C42801043A3B@win-ex01.bench.com> <[🔎] 20140311204752.GA6311@mraw.org>

> -----Original Message-----
> Sent: Tuesday, March 11, 2014 3:48 PM
> To: Fuchs, Ken; 542834@bugs.debian.org
> Subject: Re: Bug#542834: cdrom-checker: MD5 check of the CD appears to abort on detecting the first MD5 > mismatch.

Ken.Fuchs@bench.com <Ken.Fuchs@bench.com> (2009-08-21):
> Package: cdrom-checker
> Version: 1.15 (lenny)
> 
> Boot method: CD-ROM using Lenny CD1
> Image version:
> http://laotzu.acc.umu.se/debian-cd/5.0.2a/i386/iso-cd/debian-502a-i386-C
> D-1.iso
> Date: 2009-08-21 15:30 UTC
> 
> Machine: Gateway E-4200
> Processor: Pentium II 350MHz
> Memory: 128MB
> 
> Comments/Problems:
> 
> MD5 check of the CD appears to abort on detecting the first MD5
> mismatch.
> 
> When the progress meter was at about 78% complete, cdrom-checker
> displayed an MD5 error for grub-pc, and I pressed <Enter> key for the
> <Continue> prompt.  cdrom-checker immediately asked "Check the integrity
> of another CD-ROM?" without any mention of the rest of the packages on
> the current CD-ROM that have presumably not been checked yet.
> 
> cdrom-checker should verify the MD5 checksum of all packages on the CD,
> provide the number of packages with MD5 errors, if any, and at the
> user's option list all packages with MD5 checksum errors.
> 
> cdrom-checker could also make at least a terse suggestion about what the
> user should do about the MD5 checksum errors it detected.
> 
> Serious failure of cdrom-checker: The user may assume that the one MD5
> checksum error that cdrom-checker reported is the only one on the CD.
> The user may rightly or wrongly assume he won't need the package with
> the MD5 error and that it is the only package with an MD5 error and
> proceed with the installation.

From: Cyril Brulebois [mailto:kibi@debian.org]
> Hi,

> I'm not sure I agree. As far as I can tell, if there's a single error
> the CD image shouldn't be trusted, period. I'm not sure how it would
> help to know how badly broken the CD is…

> Mraw,
> KiBi.

As I understand it, the MD5 of each package is being checked.  If the checksum fails for a package one does not need, just avoid using that package or update it from the Internet rather than the CD later.

The point is cdrom-checker does not tell the user it gave up on checking packages on the CD.  It immediately asks whether there are additional CDs to check.  So cdrom-checker should either check the entire CD and provide a list of MD5 errors and the packages affected _or_ report to the user that the CD appears to be bad and should not be used.  Cdrom-checker quietly requesting to check another CD does not sufficiently provide enough feedback on the MD5 checksum error (the user may legitimately assume the error found is the only one on the CD and use it as is).

Have a good day.

Sincerely,

Ken Fuchs

Reply to:

References:
- Bug#542834: cdrom-checker: MD5 check of the CD appears to abort on detecting the first MD5 mismatch.
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Bug#542834: cdrom-checker: MD5 check of the CD appears to abort on detecting the first MD5 mismatch.
Next by Date: Bug#734154: debian-installer: touchpad driver missing
Previous by thread: Bug#542834: cdrom-checker: MD5 check of the CD appears to abort on detecting the first MD5 mismatch.
Next by thread: What's up with hu.po files in d-i packages?
Index(es):
- Date
- Thread