[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts

"Bernhard R. Link" <blink@informatik.uni-freiburg.de> writes:

> * Manoj Srivastava <srivasta@debian.org> [031204 18:00]:
> > >> The md5sum file should be generated at build time, signed and only
> > >> the signature kept. The signature is small enough not to cause
> > >> bloat, it can be included in the Package file or a Signatures.gz
> > >> file containing all signatures could be maintained in the archive.
> > 
> > > That still adds the burden of calculating them all after installing.
> > > I also think it is hardly possible to regenerate the .md5sums file
> > > in a way the signature will be kept. It would need to never change
> > > which files are included and how they are sorted. It could also
> > > cause problems with more sophisticated Replaces and may bite with
> > > other things I cannot even think about.
> > 
> > 	Simple: we already store the lists of files in a package; use
> >  that to regenerate the file. I mean,  you are assuming thet
> >  /var/lib/dpkg/info has been uncorrupted, after all.
> Ok, I overlooked it. That would give at least a well-defined ordering
> of the files for generating the md5sums at installation time. It's still
> not possible to generate them later. Making this to work with things
> like #184635

Replaced files should be kept somewhere as long as the package being
replaced is installed.

Say B replaces A and you do the following:

dpkg -i A; dpkg -i B; dpkg --purge B

That should give exactly the same result as "dpkg -i A"
alone. Anything else would be a bug.

With replaced files being kept you can recalculate correct md5sum
lists for A and B at any time in any combination of installed
packages. But even if it fails due to some bug you will only get a
false negative. Then you download the debs and see what the problem

> > > Only if there is a reliable way to regenerate them at instalation
> > > time.
> > 
> > 	Sure there is. (Just tested -- I regenerated a file several
> >  times in a row like so: cat /var/lib/dpkg/info/mailagent.list | while
> >  read i; do test -f $i && do j=$(md5sum $i); done).
> # for n in `sort /var/lib/dpkg/info/*.list | uniq -d` ; do test -f $n &&
> echo $n ; done | wc -l
>   16
> > 	If you have the .debs available, is it not simpler to just do:
> > __> ar p \
> >     /usr/local/src/arch/packages/debian--0.1/mailagent/mailagent_3.73-9_i386.deb \
> >     data.tar.gz | tar zfd - | grep 'Contents differ'
> Well, there is a reason debsums does more then just comparing the files
> listed in the .md5sums with the files at the given locations.
> There are packages replacing files of other packages. There are
> diversions and possible other uglyness.

That all has to be tracked by dpkg already.

> I also prefer to have the .debs in local mirrors and not at each
> indiviual host. And just extracting the .md5sums and copying
> is much less hassle, then sending all the files at whole over the
> network.


Reply to: