Re: md5sums files

[Goswin von Brederlow <goswin-v-b@web.de>]

Peter Samuelson <peter@p12n.org> writes:

>> Peter Samuelson <peter@p12n.org> writes:
>> > Be that as it may, I don't think the md5sums file was ever intended to
>> > be an integrity check of the .deb itself.  Fortunately, the .deb also
>> > includes checksums of control.tar.gz and data.tar.gz, thanks to use of
>> > the gzip container format.
>
> [Goswin von Brederlow]
>> That is not about the integrity of the deb. It is about the integrity of
>> the files on the system. And if you do have faulty memory (or any of the
>> other problems) then calculating the checksum locally will have a high
>> risk of calculating it from already corrupted data and miss the error.
>
> How many times do I have to say "the .deb also includes checksums of
> control.tar.gz and data.tar.gz, thanks to use of the gzip container
> format" before you notice?

You are still missing the point.

- You download and verify the deb with the checksum in Packages.gz.
- You unpack and some bits toggle making files corrupt.
- You generate the md5sum from corrupt data.
- Some time later you notice things don't work right that work
  elsewehere.
- You verify the file integrity and all files check out fine.
- You miss the problem.

At the point when you need to check the integrity you do not have a
control.tar.gz or data.tar.gz file. You don't have a deb. All you have
is your corrupted data.

MfG
        Goswin