[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts

On Thu, 4 Dec 2003 13:02:57 +0100, Bernhard R Link <blink@informatik.uni-freiburg.de> said: 

> * Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
>   [031204 02:46]:
>> "Bernhard R. Link" <blink@informatik.uni-freiburg.de> writes:
>> > I don't think so. md5-calculation it not the fastest thing
>> > (especially on non-i386 it often feels like downloading and
>> > installing together needs less time than the md5sum-verification.
>> > So this should be switched off, but then it will be missing when
>> > one needs them.
>> The md5sum file should be generated at build time, signed and only
>> the signature kept. The signature is small enough not to cause
>> bloat, it can be included in the Package file or a Signatures.gz
>> file containing all signatures could be maintained in the archive.

> That still adds the burden of calculating them all after installing.
> I also think it is hardly possible to regenerate the .md5sums file
> in a way the signature will be kept. It would need to never change
> which files are included and how they are sorted. It could also
> cause problems with more sophisticated Replaces and may bite with
> other things I cannot even think about.

	Simple: we already store the lists of files in a package; use
 that to regenerate the file. I mean,  you are assuming thet
 /var/lib/dpkg/info has been uncorrupted, after all.

> Only if there is a reliable way to regenerate them at instalation
> time.

	Sure there is. (Just tested -- I regenerated a file several
 times in a row like so: cat /var/lib/dpkg/info/mailagent.list | while
 read i; do test -f $i && do j=$(md5sum $i); done).

> And if one decided to save the time to calculate them or save the
> space by freeing the generated .md5sums file, bringing the system
> back in a state where such integrity can be checked is almost
> equivalent to a reinstall, while extracting the classical .md5sums
> file from an package pool (local mirror, set of CDs ...) and putting
> them back in place is very simple and needs far less processing
> power.

	If you have the .debs available, is it not simpler to just do:
__> ar p \
    /usr/local/src/arch/packages/debian--0.1/mailagent/mailagent_3.73-9_i386.deb \
    data.tar.gz | tar zfd - | grep 'Contents differ'


No, that'd be silly. Larry Wall in <199710221710.KAA24242@wall.org>
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: