Re: packages without .md5sums file?

To: debian-devel@lists.debian.org
Subject: Re: packages without .md5sums file?
From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Date: Sun, 29 Jul 2001 14:51:53 +0200
Message-id: <[🔎] 20010729145153.E464@212.23.136.22>
In-reply-to: <[🔎] 20010729095435.L23974@seteuid.getuid.de>
References: <[🔎] 200107271053.f6RArHlc024626@dizzy.dz.net> <[🔎] 20010727130737.D30465@wiggy.net> <[🔎] 20010727204929.F702@212.23.136.22> <[🔎] 20010727210955.B2998@wiggy.net> <[🔎] 20010728011156.A105@212.23.136.22> <[🔎] 20010728124913.K23974@seteuid.getuid.de> <[🔎] 20010728152017.D1170@212.23.136.22> <[🔎] 20010729095435.L23974@seteuid.getuid.de>

On Sun, Jul 29, 2001 at 09:54:35AM +0200, Christian Kurz wrote:
> > The point I am trying to make is, that self-generating the checksums
> > introduces a single point of failure, my system.  If every maintainer
> > generates them themselve, some packages might have wrong checksums, but in
> > general this would not affect the checksums in other packages.  Also, the
> 
> Which will stail undermine your plan of verifying which binaries are
> modified or damaged, because you'll still only be able to verify a part
> of the packages and not all like you want to achieve it.

Sorry, I was imprecise.  Debian won't allow packages with wrong checksums in
the archive.  If they slip in because of bugs in disntall, people will
notice and the package be removed.  When the packages reach me on a CD, they
will have been tested many times by different people.

> > checksums can be verified by lintian, the upload queue daemons, dinstall,
> 
> Are you aware that there's already a md5sum for the .dsc, .orig.tar.gz
> or .tar.gz, the .diff.gz if it exists and the .deb that you are
> uploading the .changes file, which is again signed by your key?

Yes, I am.  The checksums are indeed not needed to make a verification,
I could also extract the debs on a CD and verify the content directly.
I assume this is much slower, and there are no convenience tools for that,
but it is possible.

> for example those md5sums won't
> work on config-files or files which are created at or after runtime of a
> program without being included in deb.

Right.  It seems that what Wichert has in mind is indeed a different tool
from what I had in mind.  He seems to think along the lines of tripwire.
I have no opinion if implementing this into the packaging tool is a good
idea or not.  On the one hand, it sounds like featurism, on the other hand
some interface between the packaging system and the tripwire tool makes
certainly sense (so the packaging tool can signal that the changes done by
the upgrade/installation are wanted).

Thanks,
Marcus

-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org brinkmd@debian.org
Marcus Brinkmann              GNU    http://www.gnu.org    marcus@gnu.org
Marcus.Brinkmann@ruhr-uni-bochum.de
http://www.marcus-brinkmann.de

Reply to:

References:
- packages without .md5sums file?
  - From: Massimo Dal Zotto <dz@cs.unitn.it>
- Re: packages without .md5sums file?
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: packages without .md5sums file?
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: packages without .md5sums file?
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: packages without .md5sums file?
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: packages without .md5sums file?
  - From: Christian Kurz <shorty@debian.org>
- Re: packages without .md5sums file?
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: packages without .md5sums file?
  - From: Christian Kurz <shorty@debian.org>

Prev by Date: Re: packages without .md5sums file?
Next by Date: Re: something is writing to /
Previous by thread: Re: packages without .md5sums file?
Next by thread: Re: packages without .md5sums file?
Index(es):
- Date
- Thread