[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts

* Manoj Srivastava <srivasta@debian.org> [031204 18:00]:
> >> The md5sum file should be generated at build time, signed and only
> >> the signature kept. The signature is small enough not to cause
> >> bloat, it can be included in the Package file or a Signatures.gz
> >> file containing all signatures could be maintained in the archive.
> 
> > That still adds the burden of calculating them all after installing.
> > I also think it is hardly possible to regenerate the .md5sums file
> > in a way the signature will be kept. It would need to never change
> > which files are included and how they are sorted. It could also
> > cause problems with more sophisticated Replaces and may bite with
> > other things I cannot even think about.
> 
> 	Simple: we already store the lists of files in a package; use
>  that to regenerate the file. I mean,  you are assuming thet
>  /var/lib/dpkg/info has been uncorrupted, after all.

Ok, I overlooked it. That would give at least a well-defined ordering
of the files for generating the md5sums at installation time. It's still
not possible to generate them later. Making this to work with things
like #184635

> > Only if there is a reliable way to regenerate them at instalation
> > time.
> 
> 	Sure there is. (Just tested -- I regenerated a file several
>  times in a row like so: cat /var/lib/dpkg/info/mailagent.list | while
>  read i; do test -f $i && do j=$(md5sum $i); done).

# for n in `sort /var/lib/dpkg/info/*.list | uniq -d` ; do test -f $n &&
echo $n ; done | wc -l
  16

                                     
> 	If you have the .debs available, is it not simpler to just do:
> __> ar p \
>     /usr/local/src/arch/packages/debian--0.1/mailagent/mailagent_3.73-9_i386.deb \
>     data.tar.gz | tar zfd - | grep 'Contents differ'

Well, there is a reason debsums does more then just comparing the files
listed in the .md5sums with the files at the given locations.
There are packages replacing files of other packages. There are
diversions and possible other uglyness.

I also prefer to have the .debs in local mirrors and not at each
indiviual host. And just extracting the .md5sums and copying
is much less hassle, then sending all the files at whole over the
network.

Hochachtungsvoll,
  Bernhard R. Link

-- 
Sendmail is like emacs: A nice operating system, but missing
an editor and a MTA.
Reply to: