Re: Packages fields
On Thu, Dec 13, 2001 at 12:22:08PM +0100, Santiago Vila wrote:
> > When is the MD5 field calculated (or checked) ?
> It's calculated by dpkg-scanpackages or apt-ftparchive at the master
> server archive, ftp-master.debian.org, and it's checked by dpkg and
> friends at install time. Don't know what freenet is, but I fail to see
> why would you need yet another hash.
See http://freenetproject.org/index.php?page=whatis for an official
We use another hash because when you are downloading files from untrusted
nodes, you need to be able to verify that you are downloading the right file,
before you download all 20M of it (worst case scenario for debian packages).
Freenet uses progressive hashes that allow us to verify the file at every 4kB
block (with 20 bytes/block overhead). It is also gratuitously encrypted in
order to protect the owners of datastores from legal liability for whatever
illegal junk others have inserted (the CHK is actually CHK@<progressive hash
of encrypted file>,<decryption key>. The decryption key is derived from the
hash of the unencrypted file. All hashes are SHA-1, encryption is Rijndael
(which is rather fast). Apt-get-over-freenet is or could be useful because it
would save a large amount of bandwidth on various centralised ftp servers,
downloading only the Packages file from ftp.debian.org or a reliable mirror
and then getting the rest from Freenet. It would also speed up downloads over
fast links through downloading several packages at once from different nodes,
many of which also on cable/DSL.