Re: bad SHA1SUMS and MD5SUMS files

[carlos@fisica.ufpr.br (Carlos Carvalho)]

Steve McIntyre (steve@einval.com) wrote on 29 December 2008 00:02:
 >On Sun, Dec 28, 2008 at 10:30:16PM +0000, Steve McIntyre wrote:
 >>On Mon, Dec 29, 2008 at 12:57:02AM +0700, BuraphaLinux Server wrote:
 >>>for i386 CD images the SHA1SUMS and MD5SUMS files are bad.
 >>>
 >>>For instance, in the MD5SUMS you have duplicate file names with
 >>>different hash values, which of course means that one of the hash
 >>>values is wrong.
 >>>
 >>>Both files reference ISO images that are not in the directory (r5 files).
 >>>
 >>>I used jigdo to build my ISO images, but I cannot verify them all
 >>>because of these bad checksum files.
 >>>
 >>>I fetched from mirrors.kernel.org, but check other mirrors and they
 >>>have the same bad hash files.
 >>>
 >>>Please CC: me since I'm not on the mailing list.
 >>
 >>Hi,
 >>
 >>You don't say *which* MD5SUMS files you're talking about, which is not
 >>very helpful. Please be more specific in future!

He did say i386 CD images, and duplication :-)

 >All done now, I think.

Not yet... Maybe what follows hasn't been done yet because of the
holidays so please take these observations just as reminders.

First, if the checksums files have been changed a trigger should have
been sent to the mirrors registered for push syncing. Also, the trace
file of the archive should have been updated.

Second, this incident shows that the generation of the checksums isn't
properly automated. This is an important responsibility of the master
archive. And it's too heavy a task to ask the mirrors to verify
checksums of 378GB... For the [few] mirrors that create the images
locally, jigdo-file is very careful and does [a lot of] its own
checksumming, so even in this case it's not necessary for mirrors to
use those files. That said, some of the mirrors that update faster
could check to catch problems early. I could do it here on request of
the master admin.