SJS wrote:
The filename, size, and mtime are
useful metadata for this purpose, despite being both insufficient and
untrustworthy. These defects can be dealt with in various ways, which
would be another conversation.
Yes, let's have that conversation.
The filename is just a label that you, the user, can change at will, and
wget will do so as well. The curl command doesn't even give you that --
you, the user, need to decide on the local filename.
Size should *never* be obtained from the remote source -- it should be
calculated from the object itself, locally, always. Remote reports of
the purported size should be treated as a guideline for the user, but
not as transmitted metadata.
And we've already discussed mtime.
How do you see these 'defects' being dealt with?
Well, in theory every download should compute the hash and check against
the one you received from offline somewhere.
In reality, that's a PITA.
From my point of view, you use different levels of paranoia depending
upon the situation.
If I'm just pulling things to look at them, I'm not going to get too
bent out of shape. I'll rely on the timestamp to say "it's the same".
If I'm pulling things in order to compile something up, it gets hashed.
I've learned my lesson the hard way on this, and I won't screw it up
anymore. Before debugging crap, I now demand the hashes on the tarballs.
If I'm pulling a distribution, I'll probably hash it once and never
trust anything about the net again.
-a
--
KPLUG-List@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
