Bug#572571: packages SHOULD ship checksums (a-la dh_md5sums, but better)
- To: Stefano Zacchiroli <email@example.com>, firstname.lastname@example.org
- Subject: Bug#572571: packages SHOULD ship checksums (a-la dh_md5sums, but better)
- From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
- Date: Fri, 5 Mar 2010 17:51:33 +0100
- Message-id: <20100305165133.GA4251@yellowpig>
- Reply-to: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>, email@example.com
- In-reply-to: <20100304220045.GA13767@usha.takhisis.invalid>
- References: <firstname.lastname@example.org> <email@example.com> <20100303104725.GA18778@celtic.nixsys.be> <firstname.lastname@example.org> <4B8EB3B6.email@example.com> <20100303211921.GA11527@usha.takhisis.invalid> <firstname.lastname@example.org> <20100304081121.GA19497@usha.takhisis.invalid> <email@example.com> <20100304220045.GA13767@usha.takhisis.invalid>
On Thu, Mar 04, 2010 at 11:00:45PM +0100, Stefano Zacchiroli wrote:
> Package: debian-policy
> Severity: wishlist
> Version: 126.96.36.199
> [ For the full context, see the -devel thread starting at
> http://lists.debian.org/debian-devel/2010/03/msg00038.html ]
> On Thu, Mar 04, 2010 at 01:12:26PM -0800, Russ Allbery wrote:
> > > Russ, while we are at it, would you mind a bug report on the policy to
> > > suggest (starting at SHOULD?) to store md5sums in packages?
> > Not that I've had any time to work on Policy (or Lintian) in the last
> > month, but that does seem reasonable to me. It seems to be a widespread
> > best practice already, and a lot of people are turning up in this thread
> > to say that they find it useful.
> Here we go.
> Currently, packages ships file checksums which are computed at package
> build time by the means of dh_md5sums (usually), and stored under
> /var/lib/dpkg/info/*md5sums. Several people find those checksums
> useful, mostly for file corruption detection a-la CRC.
> Empirical tests show that the archive coverage is pretty good, most
> packages seem to ship those checksums.
> Hence, there is a desire to turn a similar feature into, for start, a
> SHOULD requirement, meant to become a MUST later on.
If we are moving that way, maybe it would make sense for the checksums
to be generated by dpkg-buildpackage.
Imagine a large red swirl here.