Re: debsums for maintainer scripts
"Bernhard R. Link" <blink@informatik.uni-freiburg.de> writes:
> * Manoj Srivastava <srivasta@debian.org> [031204 18:00]:
> > >> The md5sum file should be generated at build time, signed and only
> > >> the signature kept. The signature is small enough not to cause
> > >> bloat, it can be included in the Package file or a Signatures.gz
> > >> file containing all signatures could be maintained in the archive.
> >
> > > That still adds the burden of calculating them all after installing.
> > > I also think it is hardly possible to regenerate the .md5sums file
> > > in a way the signature will be kept. It would need to never change
> > > which files are included and how they are sorted. It could also
> > > cause problems with more sophisticated Replaces and may bite with
> > > other things I cannot even think about.
> >
> > Simple: we already store the lists of files in a package; use
> > that to regenerate the file. I mean, you are assuming thet
> > /var/lib/dpkg/info has been uncorrupted, after all.
>
> Ok, I overlooked it. That would give at least a well-defined ordering
> of the files for generating the md5sums at installation time. It's still
> not possible to generate them later. Making this to work with things
> like #184635
Replaced files should be kept somewhere as long as the package being
replaced is installed.
Say B replaces A and you do the following:
dpkg -i A; dpkg -i B; dpkg --purge B
That should give exactly the same result as "dpkg -i A"
alone. Anything else would be a bug.
With replaced files being kept you can recalculate correct md5sum
lists for A and B at any time in any combination of installed
packages. But even if it fails due to some bug you will only get a
false negative. Then you download the debs and see what the problem
is.
> > > Only if there is a reliable way to regenerate them at instalation
> > > time.
> >
> > Sure there is. (Just tested -- I regenerated a file several
> > times in a row like so: cat /var/lib/dpkg/info/mailagent.list | while
> > read i; do test -f $i && do j=$(md5sum $i); done).
>
> # for n in `sort /var/lib/dpkg/info/*.list | uniq -d` ; do test -f $n &&
> echo $n ; done | wc -l
> 16
>
>
> > If you have the .debs available, is it not simpler to just do:
> > __> ar p \
> > /usr/local/src/arch/packages/debian--0.1/mailagent/mailagent_3.73-9_i386.deb \
> > data.tar.gz | tar zfd - | grep 'Contents differ'
>
> Well, there is a reason debsums does more then just comparing the files
> listed in the .md5sums with the files at the given locations.
> There are packages replacing files of other packages. There are
> diversions and possible other uglyness.
That all has to be tracked by dpkg already.
> I also prefer to have the .debs in local mirrors and not at each
> indiviual host. And just extracting the .md5sums and copying
> is much less hassle, then sending all the files at whole over the
> network.
MfG
Goswin
Reply to: