Re: md5sums

To: debian-policy@lists.debian.org
Subject: Re: md5sums
From: Charles Briscoe-Smith <cpbs@debian.org>
Date: Wed, 02 Dec 1998 15:41:29 +0000
Message-id: <[🔎] 199812021541.PAA08174@elm.ukc.ac.uk>

Hi all,

A few thoughts about these md5sums files:

First, what do we want file md5sums for?  As far as I know, the point
of the md5sums is to detect accidental corruption of installed files:
to check whether you have mistakenly edited an installed script which
wasn't a conffile, or to check which packages need reinstalling after
you've been careless with "rm".  It's not for security (that would
(IMHO) need digitally signed certificates from some competent, trusted
authority, and a write-protected medium containing a known-clean
kernel, the verification tool and everything needed to get it running,
and the public key(s) needed to check the certificates).

For detecting accidental deletions, I agree with those who've said that
there's no point including this information in the package.  However,
because there are old, slow machines still in use, and because the
md5sums file can be big, there needs to be an option not to generate
this data.  I have a 486DX2/66 PC here, on which I've just md5sumed a
171542382-byte compressed file (approx. 163MBytes), read off an ext2fs
on an IDE drive, and got these timings:

real    2m44.992s
user    1m59.110s
sys     0m31.640s

That's around a megabyte per second, on an old and creaky 486.  If this
was integrated into dpkg, that could be done mostly in parallel with
writing the file to the disk, and, on a fast machine or one with a slow
disk, might not slow down installation at all.

But those points have already been made....  The point I wanted to make
is that storing the md5sum (or another checksum) of the file isn't
enough.  We also need to store ownership (user and group), permissions,
and, for symlinks, destination.  While we're at it, file size and last
modification date would be good, too.  Arguably, the ownership and
permissions of a file are easier to accidentally corrupt than its
contents.

IIRC, RPM already does this.  It has a verify option, which checks
md5sums, ownerships and permissions.  I just tried to check this, but
www.rpm.org, which I'd assume to be a good place to check, seems to be
down.  Hmm...

-- 
Charles Briscoe-Smith
White pages entry, with PGP key: <URL:http://alethea.ukc.ac.uk/wp?95cpb4>
PGP public keyprint: 74 68 AB 2E 1C 60 22 94  B8 21 2D 01 DE 66 13 E2

Reply to:

Follow-Ups:
- Re: md5sums
  - From: Manoj Srivastava <srivasta@datasync.com>

Prev by Date: Question about policy-change process
Next by Date: Re: Question about policy-change process
Previous by thread: Re: md5sums
Next by thread: Re: md5sums
Index(es):
- Date
- Thread