On 3/1/06, Giacomo A. Catenazzi <[EMAIL PROTECTED]> wrote: > I think that: > - it is wrong to check MD5 at the "remote" site.
It is at most useless, not wrong, but I don't agree even with that. Interrupted transfers, errors could damage the deb packages. Detecting that imediately can help the user not to waste time and download again the deb. > wget should already give the right image (check sums,.. > maybe we don't check if wget was interrupted), I am doubtful that wget could get the checking up to the level that md5sum does; it does timeouts and similar things but it can't rival md5sum. The http and ftp protocols might (I am not sure and lean to think that they) have a parity check, but the checksum is another issue and catches a lot more problems (multiple errors might not be detected by parity checks or even two bits checks). This info is available, why should we not use it, when is possible and wanted. > and > there is (IMHO) higher probability that package > will be corrupted in the transport medium. Probably, but that does not diminish the fact that detecting a corruption asap is a good thing. <sarcasm>Taking into account that all the debs are put in a single tar, that would mean that we have higher chance to loose either all or nothing (oops :-) while transporting and md5sums checking is useless in that case, too</sarcasm>, but that is a totaly different issue. > So md5 should be done on the target machine. Why? Still you haven't convinced me of the reason why md5sum checking is bad. If you really want, you could specify that no md5sum checking should be done when running apt-zip-list on the target. I feel that dropping md5sums alltogether is a major regression in functionality. > A lot of system has no md5 support. I agree, just run on the target: apt-zip-list --no-md5 <what ever parameters you like> and you will prevent that, too. This would be possible, as I intend to do the checking optional. Hell, it could even check if the command is really avaialble on the system before using it. > - IIRC (but I should check): at the installation > time apt-get and dpkg check md5 for consistency > (maybe not enabled by default). I doubt that; the only place where md5 is present in the apt-get man page is --print-uris section: Instead of fetching the files to install their URIs are printed. Each URI will have the path, the destination file name, the size and the expected md5 hash. Note that the file name to write to will not always match the file name on the remote site! This also works with the source and update commands. When used with the update command the MD5 and size are not included, and it is up to the user to decompress any compressed files. Configuration Item: APT::Get::Print-URIs. Also, searching check in apt-get's manual leads us to: "If packages cannot be retrieved or fail the integrity check after retrieval (corrupted package files)" Is prety clear that apt does md5sum packages. Moreover the md5sum command is provided by the dpkg package, so I guess checking the checksums is not an option, but a prequisite. > (ok, the md5 provided by the package, not by the > system in the fetch script, I don't understand; the checksums we are using are the ones taken from Packages files by the system through "apt-get --print-uris". We are not talking about any other checksums. > but for for an anti trojan > check, user need to use packages signatures (already > implemented in unstable) what about download corruptions? > - a md5 will make difficult to update system with > newer package. (but it is not yet implemented). One will never get a newer version of a package that has the same name; apt-zip 0.13.5's deb is a totaly different beast and file from apt-zip 0.13.4's. OTOH, the offline functionality (making updates based on packages names got from the target and deciding the URLs on the connected machine) should make sure that md5sums are either copied according to the current official Packages file got on the connected machine or just ignoring md5sums. So, (on) the connected machine should versions, md5sums and real URLs be decided. Still not convinced :-) and hoping to make you agree with me :o) -- Regards, EddyP ============================================= "Imagination is more important than knowledge" A.Einstein
