Re: md5sums files
On Fri, Mar 05, 2010 at 11:45:38AM -0800, Russ Allbery wrote:
> Don Armstrong <don@debian.org> writes:
> > On Wed, 03 Mar 2010, Wouter Verhelst wrote:
>
> >> In this day and age of completely and utterly broken MD5[0], I think we
> >> should stop providing these files, and maybe provide something else
> >> instead. Like, I dunno, shasums? Or perhaps gpgsigs? But stop
> >> providing md5sums.
>
> > Is there any reason why we can't just modify dpkg-deb to create
> > DEBIAN/md5sums and DEBIAN/sha512sums and get archive coverage relatively
> > quickly, automatically, as things get rebuilt?
>
> Figuring out a better solution for why the files in /var/lib/ispell and
> /var/lib/aspell are excluded from the md5sums generation because they
> change after installation is probably needed if we're going to remove
> creation of those files from control of the packager.
Hashes at /var/lib/{a,i}spell are recreated on each package {re,}installation,
or after an {a,i}spell with an incompatible change is upgraded. This saves a
lot of problems when such transitions appear since all dictionary packages
suffering it get their hashes automatically upgraded.
The reason to have them listed by dpkg is that is way more robust to let
dpkg control its removal than to play with maintainer scripts for that.
Those placeholders are usually created by a plain touch, with a unique
md5sum,
$ touch spanish.hash spanish2.hash
$ md5sum spanish2.hash spanish.hash
d41d8cd98f00b204e9800998ecf8427e spanish2.hash
d41d8cd98f00b204e9800998ecf8427e spanish.hash
so if all files are to use md5sums (or whatever checksum hash), a file
under /var with that md5sum can be assumed to be a placeholder, expected
to change, so no problem if changes. Keeping them out of dpkg control
(create/build/erase only from maintainer scripts) does not add any
security and makes harder to know where those files come from (dpkg -S).
Regards,
--
Agustin
Reply to: