Re: md5sums files

To: debian-devel@lists.debian.org
Subject: Re: md5sums files
From: Peter Samuelson <peter@p12n.org>
Date: Wed, 3 Mar 2010 14:02:01 -0600
Message-id: <[🔎] 20100303200201.GG18278@p12n.org>
In-reply-to: <[🔎] 20100303191810.GE13644@radis.liafa.jussieu.fr>
References: <[🔎] 20100303020620.GA17083@celtic.nixsys.be> <[🔎] 20100303160510.GF18278@p12n.org> <[🔎] 20100303191810.GE13644@radis.liafa.jussieu.fr>

[Julien Cristau]
> > fundamentally, shipping a md5sums file is really just a tradeoff in
> > download size vs. installation speed, not unlike gzip vs. bzip2.  One
> 
> Only if you assume that disks never fail and thus files never get
> corrupted when the package gets unpacked.

Given a .deb, turning the data.tar.gz into foo.md5sums is a SMOP.
This could be before, during, or after the deb is unpacked.

Using the packaged foo.md5sums as an internal consistency check of
data.tar.gz itself is interesting, but somewhat unwieldy.  Better would
be to checksum data.tar.gz in its entirety.  But doesn't gzip already
do that?  (Yes, it's only 32 bits, but we aren't trying to detect
intentional tampering, only corruption.  To detect intentional
tampering, you need signed debs, or at least signed Packages.bz2.)
-- 
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/

Reply to:

Follow-Ups:
- Re: md5sums files
  - From: Harald Braumann <harry@unheit.net>

References:
- md5sums files
  - From: Wouter Verhelst <wouter@debian.org>
- Re: md5sums files
  - From: Peter Samuelson <peter@p12n.org>
- Re: md5sums files
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Re: md5sums files
Next by Date: Re: md5sums files
Previous by thread: Re: md5sums files
Next by thread: Re: md5sums files
Index(es):
- Date
- Thread