#329: add md5sums for spkgs
---------------------------+------------------------------------------------
Reporter: was | Owner: pdenapo
Type: enhancement | Status: new
Priority: minor | Milestone: sage-4.3.2
Component: packages | Keywords:
Author: | Upstream: N/A
Reviewer: | Merged:
Work_issues: |
---------------------------+------------------------------------------------
Changes (by mvngu):
* upstream: => N/A
Old description:
> {{{
> I've noticed that sage has problems with the integrity of sage-
> packages.
>
> Supose that you have patially donwload a file, but for whatever reason
> it gets truncated.
> Then sage won't check its integrity before installing.
>
> I would sugest adding to each file an md5 sum (or perhaps better a gpg
> signtaure, but this could be difficult since we need anybody to be
> able to build their own sage packages)
> [in a file like package-name.spkg.md5 or package-name.spkg.signature]
> and make sage chek this md5sum is correct.
> [and if not, download it again]
>
> [Most linux distributions do this somehow, for example Gentoo keeps
> md5sums in the manifiests in the portage tree, I think that a good
> model also would be Debian. For each package, Debian sources consists
> of 3 files:
>
> - package.dsc: a description and the md5sum of the
> package.orig.tar.gz, and package.diff.gz for checking the integrity of
> the package
> - packages.orig.tar.gz: the pristine sources from the upstream author
> - the .diff.gz with the modifications specific to debian
>
> (by keeping separated the upstream sources, and the Debian
> modifications, Debian makes clear which modifications are specific to
> Debian)
>
> I think that sage could adopt a similar aproach for their packages
>
> best regards,
> Pablo
> }}}
New description:
{{{
I've noticed that sage has problems with the integrity of sage-
packages.
Supose that you have patially donwload a file, but for whatever reason
it gets truncated.
Then sage won't check its integrity before installing.
I would sugest adding to each file an md5 sum (or perhaps better a gpg
signtaure, but this could be difficult since we need anybody to be
able to build their own sage packages)
[in a file like package-name.spkg.md5 or package-name.spkg.signature]
and make sage chek this md5sum is correct.
[and if not, download it again]
[Most linux distributions do this somehow, for example Gentoo keeps
md5sums in the manifiests in the portage tree, I think that a good
model also would be Debian. For each package, Debian sources consists
of 3 files:
- package.dsc: a description and the md5sum of the
package.orig.tar.gz, and package.diff.gz for checking the integrity of
the package
- packages.orig.tar.gz: the pristine sources from the upstream author
- the .diff.gz with the modifications specific to debian
(by keeping separated the upstream sources, and the Debian
modifications, Debian makes clear which modifications are specific to
Debian)
I think that sage could adopt a similar aproach for their packages
best regards,
Pablo
}}}
* Ticket #7617 implements the integrity check procedure below for the
SageTeX spkg.
--
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/329#comment:6>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.
