[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts



On Wed, 3 Dec 2003 23:19:58 +0100, Bernhard R Link <blink@informatik.uni-freiburg.de> said: 

> * Manoj Srivastava <srivasta@debian.org> [031203 20:12]:
>> Before we make such a push, we should at least ensure that it is
>> something we really want to do. I think locally generated checksums
>> are a better solution.

> I don't think so. md5-calculation it not the fastest thing
> (especially on non-i386 it often feels like downloading and
> installing together needs less time than the md5sum-verification.
> So this should be switched off, but then it will be missing when one
> needs them.

	That is but one optimization: we already are suffering from
 archive bloat, what about the disk and bandwidth cost of carrying
 around the sigs?  And since one rarely needs the md5sums anyway, what
 is so wrong with checking against the .deb when needed?

	Verifying the local install requires a calculation of md5sum
 for every file installed. Not something you want to do, then, if
 md5sum calculation takes a long time.

> Not having some host-specific automatism makes it also much easier
> to verify them. A kernel together with some

	There is nothing preventing us from standardizing the
 automation mechanism, and building tools on top of that.

> mount-md5sum-cruft-debsums utility may fit together with the md5sums
> of the .md5sums files on a floppy. If those files may look
> different, one may need to include those files as well. (And
> extracting them from some package pool is also more complicated).

	Why is it more complicated?  Here, try this:
__> ar p  /usr/local/src/arch/packages/debian--0.1/mailagent/mailagent_3.73-9_i386.deb data.tar.gz | tar zfd -
./usr/bin/mailpatch: Mod time differs
./usr/bin/mailhelp: Mod time differs
./usr/bin/maillist: Mod time differs
./usr/bin/maildist: Mod time differs
./usr/bin/package: Mod time differs
./usr/bin/edusers: Mod time differs
./usr/bin/mailagent: Mod time differs
./usr/share/mailagent/chkagent.sh: Mod time differs
./usr/share/mailagent/filter.sh: Mod time differs
./usr/share/mailagent/setup.cf: Mod time differs
./usr/share/mailagent/mailagent.cf: Mod time differs
./usr/share/mailagent/commands: Mod time differs
./usr/share/man/man1/maillist.1.gz: Mod time differs
./usr/share/man/man1/maillist.1.gz: Contents differ   <---------
./usr/share/man/man1/mailhelp.1.gz: Mod time differs

	How difficult was that?

__> ar p  /usr/local/src/arch/packages/debian--0.1/mailagent/mailagent_3.73-9_i386.deb \
    data.tar.gz | tar zfd - | grep 'Contents differ'
./usr/share/man/man1/maillist.1.gz: Contents differ
./usr/share/man/man1/mailhelp.1.gz: Contents differ
./usr/share/man/man1/mailpatch.1.gz: Contents differ
./usr/share/man/man1/package.1.gz: Contents differ
./usr/share/man/man1/edusers.1.gz: Contents differ
 ...

	Heck, seems like this is simpler than futzing around with
 checksums. 


> Its also a warm feeling to run debsums to see the broken memory chip
> one just replaced with a working one has not caused any bit-changes
> in the installed files. If the checksums were created at the same
> system, one has to get them from somewhere else, so there is little
> sense in having them generated at all.

	A warm fuzzy feeling, however, is to be distrusted when
 dealing with security and/or system integrity checking.

	manoj
-- 
Engineering: "How will this work?" Science: "Why will this work?"
Management: "When will this work?" Liberal Arts: "Do you want fries
with that?"
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C



Reply to: