Re: ftp.debian.org: please drop MD5sum lines from Packages

To: 942893@bugs.debian.org
Cc: steve@einval.com,debian-cd@lists.debian.org
Subject: Re: ftp.debian.org: please drop MD5sum lines from Packages
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Wed, 23 Oct 2019 10:27:54 +0200
Message-id: <[🔎] 8904689251382537929@scdbackup.webframe.org>
In-reply-to: <[🔎] 87d0eov477.fsf@43-1.org>
References: <[🔎] 87d0eov477.fsf@43-1.org>

Hi,

since Steve McIntyre seems to be busy, i try to answer the general
questions about jigdo.

The files .jigdo and .template get created by xorriso along with the
creation of the .iso image file.

The MD5s in .jigdo and .template are used for bringing together the
file items in both formats. .template has a byte interval gap and a MD5,
.jigdo has a MD5 and a package path, beginning at "pool/".
Like (after gunzip *.jigdo):
  FexKzYyIVG2rRb1UjUKj8Q=Debian:pool/contrib/b/biomaj-watcher/biomaj-watcher_1.2.2-4_all.deb

Insofar the MD5 (here as base64 string "FexKzYyIVG2rRb1UjUKj8Q") is only
an opaque identifier.
But at other occasions it is indeed used as error detector. See bug #772110
where jigdo-file reports a damaged download of a .deb, but is just not able
to correct the problem on its own.
Neither secure nor perfect. But better than no hint at all, i'd say.

In general, a change of the opaque identifier would demand changes in
libjte, which produces .jigdo and .template under control of xorriso,
and in jigdo-file, which would then have to learn to re-compute the
identifier of a package for its imperfect check for glitches in mirror
server or transport.

Changes in libjte would probably my realm. I am ready to follow tangible
instructions. Best relying on a checksum that it can already compute:
(MD5), (SHA1), SHA256, SHA512.

But given Steve McIntyre's silence on the discussion of bug #887831,
which is actually about beefing up jigdo-lite's initial and final
tests for success to the strength of SHA512SUMS.sign and SHA512SUMS,
i am pessimistic that a change from MD5 to some part of the SHA256
will happen soon in jigdo-lite/file.
(He would also have to package the new libjte version.)

Further it would create  the need for a legacy version of jigdo-lite/file
for MD5-based jigdos which are available in the archive:
  http://cdimage.debian.org/mirror/cdimage/archive/
(Between 6 and 9 there are no iso-dvd sub directories. Since 9.2. they
 are back.)

-------------------------------------------------------------------

Ansgar wrote:
> From looking, I believe it is debian-cd's tools/grab_md5

Looking at
  https://sources.debian.org/src/debian-cd/3.1.26/tools/grab_md5/
i think that line 105 could get changed from

  MD5=`echo $ENTRY | /bin/sed 's/:.*$//g'`

to something which uses /usr/bin/md5sum on the package file, rather than
inquiring the package information.
I believe to see in line 107

  printf '%s  %12.12s  %s\n' $MD5 $SIZE $PATH

the production of a line for the input file of xorrisofs option -md5-list,
as described in man xorrisofs:

  "Each designated file is represented in the  .md5  file
   by a single text line:
     MD5  as 32 hex digits, 2 blanks, size as 12 decimal digits or blanks,
     2 blanks, symbolic file address
  "

So $MD5 should be filled with the first word of the output of md5sum.
(Now who can guess where to find the path to the package file .deb ?)


Have a nice day :)

Thomas

Reply to:

References:
- Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
  - From: Ansgar <ansgar@43-1.org>

Prev by Date: Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
Next by Date: Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
Previous by thread: Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
Next by thread: Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
Index(es):
- Date
- Thread