Re: proposed release goal: DEBIAN/md5sums for all packages
Romain Francoise <rfrancoise@debian.org> writes:
> Stefano Zacchiroli <zack@debian.org> writes:
>
>> [ fully quoting my original request, for the sake of context
>> preservation ]
>
> Thanks for initiating the discussion! :-)
>
>> On Fri, Aug 17, 2007 at 09:04:13AM +0200, Luk Claes wrote:
>>>
>>> With more than 600 issues, it's a bit early to make it a release goal IMHO.
>>> Though making maintainers aware by upgrading the lintian check to a warning
>>> and discussion on debian-devel about which exceptions are warranted (and
>>> possible mass bug filing) will probably be a good idea to get the amount
>>> reduced rather fast...
>
> One thing I've been pondering about is: are there any good reasons
> *not* to have an md5sums control file?
>
> It seems to me that the time spent to generate it on the buildds is
> probably insignificant compared to the total time needed to build
> the package... And since generating it can be done with a trivial
> shell command, it's not a complexity issue either.
I fail to see any reason to HAVE a md5sums file.
The package is signed (via Release.gpg, Release, Packages,
md5sum+size) and thereby protected against tampering.
The md5sum file in / var/lib/dpkg/info/ (or wherever you put it on the
users system) is not protected and therefore useless as a security
device. Fetching a md5sum file you can trust means fetching (at least
partially) the deb and then you can just compare the files one by one.
Also the md5sum file can be generated at install time if wanted. The
cost of computing the md5sum on the fly is quite insignificant on most
systems.
So why waste all the mirror space and bandwith for something rather
useless?
MfG
Goswin
Reply to: