Re: md5sums files

To: Anthony Towns <aj@erisian.com.au>
Cc: debian-devel@lists.debian.org
Subject: Re: md5sums files
From: Goswin von Brederlow <goswin-v-b@web.de>
Date: Sun, 07 Mar 2010 01:28:06 +0100
Message-id: <[🔎] 87r5nxou09.fsf@frosties.localdomain>
In-reply-to: <[🔎] 87b3a4191003061122k4b9971e9nac17e0ee535ef592@mail.gmail.com> (Anthony Towns's message of "Sun, 7 Mar 2010 05:22:22 +1000")
References: <[🔎] 20100303020620.GA17083@celtic.nixsys.be> <[🔎] 20100303160510.GF18278@p12n.org> <[🔎] 87b3a4191003061122k4b9971e9nac17e0ee535ef592@mail.gmail.com>

Anthony Towns <aj@erisian.com.au> writes:

> (I'm not subscribed to this list, so go ahead and Cc me)
>
> On Thu, Mar 4, 2010 at 02:05, Peter Samuelson <peter@p12n.org> wrote:
>> [Wouter Verhelst]
>> > I must say I was somewhat surprised by these numbers. Out of 2483
>> > packages installed on my laptop, 2340 install md5sums.
>> The surprising part, perhaps, is that dpkg itself didn't just generate
>> the other 143 md5sums files at installation time.
>
> The easy (and usually correct) reason for things like that is "dpkg's
> source is scary".
>
>> I suggested this a long time ago and of course was met with "so where's
>> your patch?"  Of course I was not willing to do the work.
>
> See? Anyway, my patch is attached. It makes dpkg create a "foo.hashes"
> when unpacking foo, whose contents looks like:
>
> MD5:32b5e22f8e336b2f34e0dd87652e6dfc  usr/share/doc/mawk/changelog.gz
> MD5:87a34f1f55ac3f7fec2c7fc82565e8eb  usr/share/doc/mawk/changelog.Debian.gz
> ...
>
> Verification is a matter of something like:
>
> $ cat /var/lib/dpkg/info/*.hashes | sed -n 's/^MD5://p' | (cd /;
> md5sum -c) | grep -v ': OK$'
>
> There's an option (--hash) that you can set to "none" to avoid
> spending time calculating md5s if you so choose. Adding support for
> sha1/sha256/whatever should be straightforward; afaik dpkg only has
> code for md5 already built in though (though just invoking
> /usr/bin/sha1sum etc would be an option of course).
>
> Of course another option is just to pull the md5sums directly from the deb:
>
> $ ar p /var/cache/apt/archives/ifupdown_0.6.9_i386.deb data.tar.gz |
>     tar --to-command='printf "%s%s\n" "$(md5sum - | sed s/-$//)"
> "${TAR_FILENAME#./}"'  -xzf - |
>     diff - /var/lib/dpkg/info/ifupdown.md5sums
> 1,3d0
> < 346208729633adf45e2fa3f2bd3b19c6  etc/init.d/ifupdown
> < c6fffaae03271f1641920105ce68796b  etc/init.d/ifupdown-clean
> < fab851ca87c5deb9d6f665e610184648  etc/default/ifupdown
> 4a2
>> a0f11cf1809a468c49b72e0aa0a8e26b  sbin/ifup
>
> (md5sums doesn't normally list conffiles, but does list hardlinks; the
> above command does the opposite)
>
>> But
>> fundamentally, shipping a md5sums file is really just a tradeoff in
>> download size vs. installation speed, not unlike gzip vs. bzip2.
>
> Advantages of doing in when unpacking:
>  - choice of checksum is the admin's decision
>  - we can quickly roll out support for sha1/sha256/crc/... checksums
> by just changing one package
>  - admin has hashes of exactly what was unpacked, no matter the source
>  - no concerns about bugs in dh_md5sums or similar resulting in bad checksums
>
> Advantages of doing it when uploading:
>  - provides some sort of double check of what's being uploaded
>  - saves CPU time on users' machines
   - avoids having bad checksums due to the user having bad hardware
     (which is one big use case of the files)

> For me, I'd rather have dpkg generate the hashes.
>
> Cheers,
> aj
>
> --
> Anthony Towns <aj@erisian.com.au>

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: md5sums files
  - From: Anthony Towns <aj@erisian.com.au>

References:
- md5sums files
  - From: Wouter Verhelst <wouter@debian.org>
- Re: md5sums files
  - From: Peter Samuelson <peter@p12n.org>
- Re: md5sums files
  - From: Anthony Towns <aj@erisian.com.au>

Prev by Date: Re: md5sums files
Next by Date: Re: Bug#572733: support for mounting other kernel filesystems
Previous by thread: Re: md5sums files
Next by thread: Re: md5sums files
Index(es):
- Date
- Thread