md5 sums (or sha1 for extra security) could be useful if there's ever any interest in signing spkgs in the future (official or 3rd party ones).
- Robert On Oct 21, 2007, at 3:28 PM, Pablo De Napoli wrote: > > My idea was actually the second one, so nothing has to be changed in > current sage packages.I don't see this as so painfull (as the > > Debian is currently doing something similar for debian packages > (actually for each Debian package there are 3 sources files: > a .dsc file, with description and checksum, .diff.gz (the differencies > as a patch to pristine sources) and .orig.tar.gz (the pristine > sources) > > I think that this good be a good model to follow. > > But yes, perhaps is just having tar to report if the opeation of > unpacking was sucessfull or not. > > Pablo > > On 10/21/07, William Stein <[EMAIL PROTECTED]> wrote: >> >> On 10/21/07, Pablo De Napoli <[EMAIL PROTECTED]> wrote: >>> >>> I'm currently working on ticket #329 >>> >>> My idea is adding to each .spkg file a .spkg.md5 file with the >>> md5checksum >>> This should prevent file corruption. >> >> Are you literally "adding to each .spkg file". If so, >> make sure this is completely automatic. I.e., whenever anybody does >> sage -pkg directory-version >> the md5 file is created inside the resulting spkg. What are you >> going to create the md5 hash of, by the way, given that the spkg >> doesn't exist when you create the md5 hash to add to the spkg? >> The alternative is that we have to have separate files >> directory-version.spkg >> and >> directory-version.spkg.md5 >> and then whenever anybody ever wants to trade spkgs, they have >> to copy around, get, etc. 2 separate files. That would be painful >> in practice. >> >> Just out of curiosity, shouldn't tar report if the file it is >> unpacking is somehow corrupt? Why do we need md5 hashes at all >> if the whole point is to determine whether or not a download of >> a .tar.bz2 file (an spkg) was corrupted or not? Should we be >> able to get that information from tar during the extract process, >> or at least change how we make the tarball so that information >> is available. >> >> I really don't want to have to keep track of twice as many files >> if it isn't absolutely necessary. >> >> >>> >>> I've already reimplemented the md5sum standard utility (from the >>> coreutils package) in python (using the md5 module), so that we >>> don't need to add an extra dependency to sage. >>> >>> I still have to modify the logic of the scripts (sage-download- >>> package, etc.) >>> so that they do the right thing. >>> >>> Pablo >>> >>> >>> >>> >>> On 10/20/07, Timothy Clemans <[EMAIL PROTECTED]> wrote: >>>> >>>> Hi, >>>> >>>> I think I have done "sage -upgrade" a few times when William was in >>>> the process of uploading a new release. I think it would be >>>> helpful if >>>> Sage would check a file on sagemath that gave the latest release >>>> that >>>> had been completed uploaded. Another possibility might be that >>>> William >>>> would upload the files to directories that Sage doesn't look in and >>>> then move them over to the release directories after they have been >>>> completely uploaded. >>>> >>>> Timothy >>>> >>>>> >>>> >>> >>>> >>> >> >> >> -- >> William Stein >> Associate Professor of Mathematics >> University of Washington >> http://wstein.org >> >>> >> > > --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
