Re: md5sums files
> > Given a .deb, turning the data.tar.gz into foo.md5sums is a SMOP.
> > This could be before, during, or after the deb is unpacked.
> If you create the hashes at unpack time, you don't catch errors that
> happen during unpack.
You mean errors reading the data.tar.gz file? That is what the gzip
checksum is for, as I said later in my email.
> > Using the packaged foo.md5sums as an internal consistency check of
> > data.tar.gz itself is interesting, but somewhat unwieldy. Better would
> > be to checksum data.tar.gz in its entirety. But doesn't gzip already
> > do that? (Yes, it's only 32 bits, but we aren't trying to detect
> > intentional tampering, only corruption.
> The hash must include the whole package, not just data.tar.gz.
Please don't hijack my little thread here. I'm talking about whether
there are any disadvantages to generating foo.md5sums at unpack time,
other than the obvious one (CPU usage).
Signed debs and signed repositories are an entirely separate
discussion. md5sums files don't even pretend to solve the same
problems. They solve other problems.