On Monday, January 12, 2015 at 4:13:33 PM UTC-8, François wrote: > > I agree with you that it is not deterministic. What is really important is > that the > checksums and the tarball come from a source you trust and are in > agreement. >
The checksum of the file itself is simply a way of establishing that the *file* is bitwise identical to your reference copy. > It is a simple security measure and I am not sure there is value in making > it > deterministic. I have a feeling that if you want to do that we may have to > change > packaging tool radically. > It actually isn't, but computing the sum is very likely going to involve unpacking the archive, after which http://stackoverflow.com/questions/1657232/how-can-i-calculate-an-md5-checksum-of-a-directory might give you some ideas on how to get a "deterministic" checksum of a directory tree (there are more complications than one would expect initially!). There may be prepackaged solutions such as tarsum (I have no experience with that), but there are plenty of "one-liners" available, although they do stretch the concept of what a line is a bit. Note that computing a checksum to compare two directory trees (or two tar files) only makes sense if they are sitting on separate systems and you can't afford sending one to the other. If you have the two trees readily available, you can just use the recursive features of diff to compare the trees. You will have to choose how much of the meta-data you want to check. Modification dates and ownership are probably not relevant, but permissions possibly are. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at http://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
