#329: add md5sums for spkgs
----------------------------------------------+-----------------------------
Reporter: was | Owner: pdenapo
Type: enhancement | Status: positive_review
Priority: blocker | Milestone: sage-6.0
Component: scripts | Resolution:
Keywords: | Work issues:
Report Upstream: N/A | Reviewers: David Kirkby,
John Palmieri, R. Andrew Ohana
Authors: Dan Drake, Robert Bradshaw | Merged in:
Dependencies: | Stopgaps:
----------------------------------------------+-----------------------------
Old description:
> {{{
> I've noticed that sage has problems with the integrity of sage-
> packages.
>
> Supose that you have patially donwload a file, but for whatever reason
> it gets truncated.
> Then sage won't check its integrity before installing.
>
> I would sugest adding to each file an md5 sum (or perhaps better a gpg
> signtaure, but this could be difficult since we need anybody to be
> able to build their own sage packages)
> [in a file like package-name.spkg.md5 or package-name.spkg.signature]
> and make sage chek this md5sum is correct.
> [and if not, download it again]
>
> [Most linux distributions do this somehow, for example Gentoo keeps
> md5sums in the manifiests in the portage tree, I think that a good
> model also would be Debian. For each package, Debian sources consists
> of 3 files:
>
> - package.dsc: a description and the md5sum of the
> package.orig.tar.gz, and package.diff.gz for checking the integrity of
> the package
> - packages.orig.tar.gz: the pristine sources from the upstream author
> - the .diff.gz with the modifications specific to debian
>
> (by keeping separated the upstream sources, and the Debian
> modifications, Debian makes clear which modifications are specific to
> Debian)
>
> I think that sage could adopt a similar aproach for their packages
>
> best regards,
> Pablo
> }}}
>
> * Ticket #7617 implements the integrity check procedure below for the
> SageTeX spkg.
>
> Apply
>
> - [attachment:trac_329_sage_scripts.patch]
> - [attachment:trac_329-ref.patch]
>
> to the scripts repo.
New description:
{{{
I've noticed that sage has problems with the integrity of sage-
packages.
Supose that you have patially donwload a file, but for whatever reason
it gets truncated.
Then sage won't check its integrity before installing.
I would sugest adding to each file an md5 sum (or perhaps better a gpg
signtaure, but this could be difficult since we need anybody to be
able to build their own sage packages)
[in a file like package-name.spkg.md5 or package-name.spkg.signature]
and make sage chek this md5sum is correct.
[and if not, download it again]
[Most linux distributions do this somehow, for example Gentoo keeps
md5sums in the manifiests in the portage tree, I think that a good
model also would be Debian. For each package, Debian sources consists
of 3 files:
- package.dsc: a description and the md5sum of the
package.orig.tar.gz, and package.diff.gz for checking the integrity of
the package
- packages.orig.tar.gz: the pristine sources from the upstream author
- the .diff.gz with the modifications specific to debian
(by keeping separated the upstream sources, and the Debian
modifications, Debian makes clear which modifications are specific to
Debian)
I think that sage could adopt a similar aproach for their packages
best regards,
Pablo
}}}
* Ticket #7617 implements the integrity check procedure below for the
SageTeX spkg.
To apply:
* Merge the checksums branch at https://github.com/ohanar/sage
--
Comment (by rohana):
Jeroen, if you don't mind, I'd like to mark this as fixed and merge the
changes into the git repository.
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/329#comment:58>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/sage-trac?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
