[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: md5sums files


On Wed, Mar 03, 2010 at 03:06:20AM +0100, Wouter Verhelst wrote:
> Hello world,
> wouter@celtic:/var/lib/dpkg/info$ ls *md5sums|wc -l
> 2340
> wouter@celtic:/var/lib/dpkg/info$ ls *sums|wc -l
> 2340
> wouter@celtic:/var/lib/dpkg/info$ dpkg -l|sed -e'1,/=====/d'|wc -l
> 2483

Here on my system:
$ dpkg -l|sed -e'1,/=====/d'|wc -l
$ dpkg -l|sed -e'1,/=====/d'|grep ^ii |wc -l
$ dpkg -l|sed -e'1,/=====/d'|grep -v ^ii
rc  sbcl 1:  A Common Lisp compiler and development system
So dfference can be explained.

> I must say I was somewhat surprised by these numbers. Out of 2483
> packages installed on my laptop, 2340 install md5sums. While that
> might've been useful at some point, I don't think it still is.

Are you sure you hava all package lines starting with "ii"?

(I know some package may still be lacking *md5sums under some
configuration.  If so, I suggest to read debsums and debsums_init
manpages. This issue is solved since 2007.)
> In this day and age of completely and utterly broken MD5[0], I think we
> should stop providing these files, and maybe provide something else
> instead.  Like, I dunno, shasums? Or perhaps gpgsigs? But stop providing
> md5sums.

gpg is slow. sha variants will be nice if there is smooth transition in
place properly planned and supprted with backported package of debsums.

The advantage of debsums is precalculated sum values and quick sanity
check capability against random changes.


Reply to: