Re: proposed release goal: DEBIAN/md5sums for all packages
On Sat, 2007-08-18 at 09:43:06 +1000, Anthony Towns wrote:
> On Fri, Aug 17, 2007 at 05:05:28PM -0500, Peter Samuelson wrote:
> > I'd opt for dpkg generating the checksums upon _extracting_ the .deb
> > file. [...]
> Where's the code for that?
> Changing write_filelist_except to update a new .md5 control file ought to
> be possible. You'd probably want to add a *newhash to struct filenamenode,
> though, and fill it out when unpacking, but working out the hash while
> unpacking (rather than running over every file to be unpacked twice)
> would mean hax0ring into the fd_fd_copy() invocation in tarobject()
> (archives.c), which seems tricky.
There's a patch in 155676 doing more or less this, which adds sha1sum
verification support and generation at extract time.
But I agree with Joey Hess that it's better done at package creation
time as it seems wasteful to do those computations on all target
systems instead of the single one building the binary.
The only problem with generating the checksums in dpkg-deb (if they
do not yet exist) is that it might take some time to transition those
packages not having them, as it needs a rebuild. Although given the
current few packages lacking them, it would not seem to be the case
for md5sums right now, it might be if we would add sha1sums as well
for example, but then it's just a question of time until all of them
get the new metadata, and binNMUs are easy if desired.