Jörg Sommer [EMAIL PROTECTED] wrote:
Sorry, I can't remember the name of the package.
That must be cm-super.
--
Florent
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
On Die, 04 Sep 2007, Florent Rougon wrote:
Sorry, I can't remember the name of the package.
That must be cm-super.
Yup, cm-super does this trick. I once wanted to undo this and ship the
font files directly, but got quite a lot of requests why the packages
has gotten soo big.
From the rules
Norbert Preining [EMAIL PROTECTED] writes:
On Die, 04 Sep 2007, Florent Rougon wrote:
Sorry, I can't remember the name of the package.
That must be cm-super.
Yup, cm-super does this trick. I once wanted to undo this and ship the
font files directly, but got quite a lot of requests why
Hi Russ,
Russ Allbery [EMAIL PROTECTED] wrote:
A Mennucc [EMAIL PROTECTED] writes:
BTW, I also encountered a strange bug : sometimes the md5sums file
contains MD5 of files that are not shipped. This is printed as a warning
in my server. If MD5 will become a release goal, this should be
On Mon, Aug 27, 2007 at 12:04:51PM +0200, A Mennucc wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Stefano Zacchiroli ha scritto:
In an attempt to prevent drift to a well-known counter argument:
DEBIAN/md5sums (used by debsums) are *not* intended as a mean to counter
security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Javier Fernández-Sanguino Peña ha scritto:
On Mon, Aug 27, 2007 at 12:04:51PM +0200, A Mennucc wrote:
I think I already pointed people interested in this to #268658.
If ftpmasters where given the tools to implement this seamlessly then you
could
On Tue, Aug 28, 2007 at 11:01:06PM +0200, A Mennucc wrote:
Javier Fernández-Sanguino Peña ha scritto:
On Mon, Aug 27, 2007 at 12:04:51PM +0200, A Mennucc wrote:
I think I already pointed people interested in this to #268658.
If ftpmasters where given the tools to implement this seamlessly
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
hi
just for the record : debdelta uses md5sums (when available) as a way
to speed up delta creation, to rapidly detect if there are any identical
files in the archives. So , yes, I (*) would be happy if md5sums where
always available.
BTW, I also
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Marc 'HE' Brockschmidt ha scritto:
Yes, that sounds like a good idea. It might also be interesting to not
put those into the control.tar.gz, but directly into the deb, so that it
can easily be extracted.
I do not agree, for two reasons:
1) it is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Lars Wirzenius ha scritto:
It strikes me that if we want to make it policy, having dpkg generate
the checksums upon creating the .deb would be the simplest and best way
to do it. This way we wouldn't have to change packages to do it, and if
we
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Stefano Zacchiroli ha scritto:
In an attempt to prevent drift to a well-known counter argument:
DEBIAN/md5sums (used by debsums) are *not* intended as a mean to counter
security attacks, since they can be easily altered.
If md5sums become part
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Peter Samuelson ha scritto:
[Lars Wirzenius]
It strikes me that if we want to make it policy, having dpkg generate
the checksums upon creating the .deb would be the simplest and best
way to do it.
I'd opt for dpkg generating the checksums upon
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Goswin von Brederlow ha scritto:
So why waste all the mirror space and bandwith for something rather
useless?
I did not do statistics; but, knowing how compression works, I would
estimate that the cost of shipping md5sums is ~ 20 bytes for each
A Mennucc [EMAIL PROTECTED] writes:
BTW, I also encountered a strange bug : sometimes the md5sums file
contains MD5 of files that are not shipped. This is printed as a warning
in my server. If MD5 will become a release goal, this should be
corrected as well : in case, I will send bug reports.
Goswin von Brederlow wrote:
So why waste all the mirror space and bandwith for something rather
useless?
Naïve approximation follows:
Repacking my local apt cache (227 packages, although some are different
versions of the same one) without md5sums files yields a gain of 980102
bytes = 957.13
* Pierre Habouzit
* Date: Fri, 17 Aug 2007 15:22:05 +0200
[]
Yes, that sounds like a good idea. It might also be interesting to not
put those into the control.tar.gz, but directly into the deb, so that it
can easily be extracted.
OTOH that sucks because it would mean that we have to
Romain Francoise [EMAIL PROTECTED] writes:
Stefano Zacchiroli [EMAIL PROTECTED] writes:
[ fully quoting my original request, for the sake of context
preservation ]
Thanks for initiating the discussion! :-)
On Fri, Aug 17, 2007 at 09:04:13AM +0200, Luk Claes wrote:
With more than 600
On Fri, Aug 24, 2007 at 03:16:28PM +0200, Goswin von Brederlow wrote:
I fail to see any reason to HAVE a md5sums file.
It looks like you have not read all the thread, other's have made some
good points as to why it's good. Just in case I'm going to voice my opinion
here again and see if I can
Javier Fernández-Sanguino Peña [EMAIL PROTECTED] writes:
On Fri, Aug 24, 2007 at 03:16:28PM +0200, Goswin von Brederlow wrote:
I fail to see any reason to HAVE a md5sums file.
It looks like you have not read all the thread, other's have made some
good points as to why it's good. Just in case
Javier Fernández-Sanguino Peña [EMAIL PROTECTED] writes:
From http://blog.orebokech.com/2007/08/debian-packages-without-md5sums.html:
Random testing of my local Debian mirror shows that 644 binary packages out
of 20774 (3.1%) are missing the DEBIAN/md5sums control file.
As of today my counter
On Fri, Aug 24, 2007 at 05:15:51PM +0200, Goswin von Brederlow wrote:
It looks like you have not read all the thread, other's have made some
good points as to why it's good. Just in case I'm going to voice my opinion
here again and see if I can convicen you (and other's listening) :)
Which
Luk Claes [EMAIL PROTECTED] writes:
With more than 600 issues, it's a bit early to make it a release
goal IMHO. Though making maintainers aware by upgrading the lintian
check to a warning and discussion on debian-devel about which
exceptions are warranted (and possible mass bug filing) will
Hello Javier,
Am 2007-08-20 23:30:26, schrieb Javier Fernández-Sanguino Peña:
BTW, NIST provides a very handy information called the National Software
Reference Library (NSRL, http://www.nsrl.nist.gov/) which comes also very
handy for either forensic analysis or setting up a baseline of known
On Fri, Aug 17, 2007 at 07:04:39PM -0500, Peter Samuelson wrote:
[Russ Allbery]
While it's not the be-all and end-all of security, other OS vendors
(Sun in particular) have found it useful to make available a central
database of MD5 checksums of known-good versions of various binaries.
On Fri, Aug 17, 2007 at 04:47:38PM -0700, Russ Allbery wrote:
Peter Samuelson [EMAIL PROTECTED] writes:
I'd opt for dpkg generating the checksums upon _extracting_ the .deb
file. We already claim that the md5sums file isn't supposed to be any
kind of security thing. Why bother to ship
Stefano Zacchiroli wrote:
And even in this case, I still see as not harmful proceeding to fix the
packages which are not using dh_md5sums atm.
I agree.
One of the reason is that no one yet showed code implementing this in
dpkg
#155676 actually
--
see shy jo
signature.asc
Description:
Stefano Zacchiroli [EMAIL PROTECTED] writes:
Can you please upload this to people.debian.org or somewhere, and
maybe keep it periodically updated?
Updated daily at http://people.debian.org/~rfrancoise/md5sums-check/
--
,''`.
: :' :Romain Francoise [EMAIL PROTECTED]
`. `'
Adeodato Simó [EMAIL PROTECTED] writes:
Adeodato Simó [EMAIL PROTECTED]
amarok-engines
This is a false positive. The package only ships
/usr/share/doc/amarok-engines, which is a symlink.
Thanks, the script now checks that the package has at least one
regular file.
--
,''`.
: :' :
On Sun, Aug 19, 2007 at 05:25:17PM +0200, Romain Francoise wrote:
Updated daily at http://people.debian.org/~rfrancoise/md5sums-check/
Wonderful, thanks!
Small feature request, can you please invoke dd-list passing -u ?
--
Stefano Zacchiroli -*- PhD in Computer Science ... now
Stefano Zacchiroli [EMAIL PROTECTED] writes:
Small feature request, can you please invoke dd-list passing -u ?
-u is the default but I don't like it much since it makes the list
longer than it really is. But I've now dropped -nou on the
assumption that you know better than me. :)
Cheers,
--
Hi,
On Sat, 2007-08-18 at 09:43:06 +1000, Anthony Towns wrote:
On Fri, Aug 17, 2007 at 05:05:28PM -0500, Peter Samuelson wrote:
I'd opt for dpkg generating the checksums upon _extracting_ the .deb
file. [...]
Where's the code for that?
Changing write_filelist_except to update a new .md5
On Fri, 17 Aug 2007 12:35:30 +0200, Romain Francoise
[EMAIL PROTECTED] said:
Manoj Srivastava [EMAIL PROTECTED]
angband angband-doc c2man calc flex-old flex-old-doc
libgraphics-colordeficiency-perl libgraphics-colornames-perl
libgraphics-colorobject-perl libmodule-load-perl
On Sat, Aug 18, 2007 at 02:15:31AM +0300, Lars Wirzenius wrote:
dpkg could do its own checksum generation only if there isn't one in the
package already, or something like that. These special cases can surely
be worked around.
Yes, probably the right solution.
And even in this case, I still
la, 2007-08-18 kello 10:16 +0200, Stefano Zacchiroli kirjoitti:
One of the reason is that no one yet showed code implementing this in
dpkg and we don't know a timeframe for this, while we know how to get it
working right now with dh_md5sums. The other reasons is that once we
have the support
[Sven Mueller]
He doesn't give any information _why_ this complicates packaging
Because you then have to handle removal explicitly in postrm, rather
than just letting dpkg take care of it.
However, I don't agree that this complicates things enough to justify
doing it. Especially when you end
On Sat, Aug 18, 2007 at 03:13:32AM +0200, Sven Mueller wrote:
He doesn't give any information _why_ this complicates packaging that
much, while his decision imposes additional work and complexity on
others (be it the exception in lintian and probably linda or the
difference between dpkg -L
* Peter Samuelson [EMAIL PROTECTED] [070818 00:06]:
I'd opt for dpkg generating the checksums upon _extracting_ the .deb
file. We already claim that the md5sums file isn't supposed to be any
kind of security thing. Why bother to ship it? It is redundant
information which can easily be
On Sat, Aug 18, 2007 at 01:27:45AM +0200, Sven Mueller wrote:
Kurt Roeckx schrieb:
On Fri, Aug 17, 2007 at 11:25:38AM -0700, Russ Allbery wrote:
Some packages (aspell and ispell packages in particular) ship files
that they then modify in maintainer scripts and intentionally exclude
them
On Sat, Aug 18, 2007 at 11:05:37AM +0200, Kurt Roeckx wrote:
On Sat, Aug 18, 2007 at 03:13:32AM +0200, Sven Mueller wrote:
He doesn't give any information _why_ this complicates packaging that
much, while his decision imposes additional work and complexity on
others (be it the exception
On Sat, Aug 18, 2007 at 06:33:40PM +0200, Agustin Martin wrote:
On Sat, Aug 18, 2007 at 11:05:37AM +0200, Kurt Roeckx wrote:
The aspell-autobuildhash / ispell-autobuildhash manpage says create an
empty .compat, or one with 0 in it. I guess most people just create the
empty one. This file
[ fully quoting my original request, for the sake of context
preservation ]
On Fri, Aug 17, 2007 at 09:04:13AM +0200, Luk Claes wrote:
Stefano Zacchiroli wrote:
[ Assuming is not too late to propose release goals of course ]
Hi, a long time ago we were wondering to have DEBIAN/md5sums
Stefano Zacchiroli [EMAIL PROTECTED] writes:
[ fully quoting my original request, for the sake of context
preservation ]
Thanks for initiating the discussion! :-)
On Fri, Aug 17, 2007 at 09:04:13AM +0200, Luk Claes wrote:
With more than 600 issues, it's a bit early to make it a release
On Fri, Aug 17, 2007 at 10:07:36AM +0200, Romain Francoise wrote:
Thanks for initiating the discussion! :-)
Well, no, thank you, it's actually you who initiated the discussion :)
One thing I've been pondering about is: are there any good reasons
*not* to have an md5sums control file?
I fail
pe, 2007-08-17 kello 10:07 +0200, Romain Francoise kirjoitti:
It seems to me that the time spent to generate it on the buildds is
probably insignificant compared to the total time needed to build
the package... And since generating it can be done with a trivial
shell command, it's not a
pe, 2007-08-17 kello 10:58 +0200, Stefano Zacchiroli kirjoitti:
I fail to see any of those. I think that most of the packages without
the md5sums just happen to have been packaged before dh_md5sums was
available,
There's also a number of packages packaged without using debhelper.
(Mine is,
On Fri, Aug 17, 2007 at 12:35:30PM +0200, Romain Francoise wrote:
For the record, the list of binary packages without md5sums
Can you please upload this to people.debian.org or somewhere, and maybe
keep it periodically updated? I guess it would be useful for the sake
of deciding what to do.
Stefano Zacchiroli [EMAIL PROTECTED] writes:
Can you please upload this to people.debian.org or somewhere, and maybe
keep it periodically updated? I guess it would be useful for the sake
of deciding what to do.
No problem, will do.
Are you using the debian_bundle.debfile module for that?
Lars Wirzenius [EMAIL PROTECTED] writes:
There's also a number of packages packaged without using
debhelper.
Yep, that's what prompted me to look into this, I recently added
md5sums to rcs which doesn't use debhelper.
For the record, the list of binary packages without md5sums (give or
take a
* Romain Francoise [Fri, 17 Aug 2007 12:35:30 +0200]:
Adeodato Simó [EMAIL PROTECTED]
amarok-engines
This is a false positive. The package only ships /usr/share/doc/amarok-engines,
which is a symlink.
Cheers,
--
Adeodato Simó dato at net.com.org.es
On Fri, 17 Aug 2007 12:35:30 +0200, Romain Francoise wrote:
Debian Perl Group [EMAIL PROTECTED]
libchemistry-elements-perl
libdbd-odbc-perl
libdigest-hmac-perl
libmath-combinatorics-perl
libmath-derivative-perl
libmath-numbercruncher-perl
libmath-spline-perl
Lars Wirzenius [EMAIL PROTECTED] writes:
pe, 2007-08-17 kello 10:07 +0200, Romain Francoise kirjoitti:
It seems to me that the time spent to generate it on the buildds is
probably insignificant compared to the total time needed to build
the package... And since generating it can be done with
Stefano Zacchiroli, 2007-08-17 12:43:55 +0200 :
On Fri, Aug 17, 2007 at 12:35:30PM +0200, Romain Francoise wrote:
For the record, the list of binary packages without md5sums
Can you please upload this to people.debian.org or somewhere, and
maybe keep it periodically updated? I guess it
On Fri, Aug 17, 2007 at 01:58:14PM +0200, Marc 'HE' Brockschmidt wrote:
Yes, that sounds like a good idea.
Agreed. But needs someone willing to patch dpkg for that: volunteers?
It might also be interesting to not put those into the control.tar.gz,
but directly into the deb, so that it can
On Fri, Aug 17, 2007 at 12:56:14PM +0200, Romain Francoise wrote:
I would be happy to receive in a bug report about what it fails to
parse.
Yep, it was sitting in my outbox and I've just sent it:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=438486
Thanks, this is now fixed in the
On Fri, Aug 17, 2007 at 11:58:14AM +, Marc 'HE' Brockschmidt wrote:
Lars Wirzenius [EMAIL PROTECTED] writes:
pe, 2007-08-17 kello 10:07 +0200, Romain Francoise kirjoitti:
It seems to me that the time spent to generate it on the buildds is
probably insignificant compared to the total
Romain Francoise wrote:
Daniel Baumann [EMAIL PROTECTED]
lib32ncurses5
lib32ncurses5-dev
libncurses5
libncurses5-dbg
libncurses5-dev
libncursesw5
libncursesw5-dbg
libncursesw5-dev
ncurses-base
ncurses-bin
ncurses-term
fixed, thanks.
--
Address:
Roland Mas [EMAIL PROTECTED] writes:
Maybe add a lintian/linda test? Maybe add that to Lina
(http://asdfasdf.debian.net/~tar/lina/)?
There's already a lintian test. It's just only info-level because last
time I had checked there wasn't project consensus that md5sums should be
required.
--
Kurt Roeckx [EMAIL PROTECTED] writes:
On Fri, Aug 17, 2007 at 10:12:07AM -0700, Russ Allbery wrote:
Lars Wirzenius [EMAIL PROTECTED] writes:
It strikes me that if we want to make it policy, having dpkg generate
the checksums upon creating the .deb would be the simplest and best way
to do it.
On Fri, Aug 17, 2007 at 10:12:07AM -0700, Russ Allbery wrote:
Lars Wirzenius [EMAIL PROTECTED] writes:
It strikes me that if we want to make it policy, having dpkg generate
the checksums upon creating the .deb would be the simplest and best way
to do it. This way we wouldn't have to
On Fri, Aug 17, 2007 at 11:25:38AM -0700, Russ Allbery wrote:
Some packages (aspell and ispell packages in particular) ship files
that they then modify in maintainer scripts and intentionally exclude
them from the md5sums file for that reason. lintian has special code
to deal with this
[Lars Wirzenius]
It strikes me that if we want to make it policy, having dpkg generate
the checksums upon creating the .deb would be the simplest and best
way to do it.
I'd opt for dpkg generating the checksums upon _extracting_ the .deb
file. We already claim that the md5sums file isn't
Kurt Roeckx schrieb:
On Fri, Aug 17, 2007 at 11:25:38AM -0700, Russ Allbery wrote:
Some packages (aspell and ispell packages in particular) ship files
that they then modify in maintainer scripts and intentionally exclude
them from the md5sums file for that reason.
The hash file, which is
pe, 2007-08-17 kello 17:05 -0500, Peter Samuelson kirjoitti:
I'd opt for dpkg generating the checksums upon _extracting_ the .deb
file. We already claim that the md5sums file isn't supposed to be any
kind of security thing. Why bother to ship it? It is redundant
information which can easily
pe, 2007-08-17 kello 10:12 -0700, Russ Allbery kirjoitti:
Some packages (aspell and ispell packages in particular) ship files that
they then modify in maintainer scripts and intentionally exclude them from
the md5sums file for that reason. lintian has special code to deal with
this case. A
On Fri, Aug 17, 2007 at 05:05:28PM -0500, Peter Samuelson wrote:
I'd opt for dpkg generating the checksums upon _extracting_ the .deb
file. [...]
Where's the code for that?
Changing write_filelist_except to update a new .md5 control file ought to
be possible. You'd probably want to add a
Sven Mueller [EMAIL PROTECTED] writes:
If it is created on install, why is it in the packages filelist in the
first place? Other packages also generate (supposedly architecture
dependend) files during postinst, without shipping a placeholder in the
.deb - so what is the reason why [ia]spell
Peter Samuelson [EMAIL PROTECTED] writes:
I'd opt for dpkg generating the checksums upon _extracting_ the .deb
file. We already claim that the md5sums file isn't supposed to be any
kind of security thing. Why bother to ship it? It is redundant
information which can easily be regenerated on
[Russ Allbery]
While it's not the be-all and end-all of security, other OS vendors
(Sun in particular) have found it useful to make available a central
database of MD5 checksums of known-good versions of various binaries.
H. As far as being authoritative (and cryptographically secure),
On Sat, Aug 18, 2007 at 01:27:45AM +0200, Sven Mueller wrote:
The hash file, which is architecture dependend, is created on install.
This is the only file in the package that is architecture dependend.
If it is created on install, why is it in the packages filelist in the
first place?
Peter Samuelson wrote:
The thing is, if you're checking your system, you have to have
something to check it against. If this is the md5sums file in
/var/lib/dpkg/info, it doesn't matter whether it's included in the
package. But if you're using the copy from the .deb (because, say, you
don't
Peter Samuelson wrote:
I'd opt for dpkg generating the checksums upon _extracting_ the .deb
file.
Not all debian systems have fast CPU and fast disk.
--
see shy jo
signature.asc
Description: Digital signature
On Fri, Aug 17, 2007 at 08:23:38PM -0400, Joey Hess wrote:
I'd opt for dpkg generating the checksums upon _extracting_ the .deb
file.
Not all debian systems have fast CPU and fast disk.
I could understand the fast CPU argument, but there's no good reason why
MD5ing at extraction time wouldn't
[Joey Hess]
It's even easier to do:
dpkg --fsys-tarfile $deb | tar -C / -d
Ha. I didn't know about tar -d. Yes, that is even better.
However, not all machines have the luxury of being able to store the
orignal .debs in /var, or of being able to redownload the same debs.
Indeed, but
Russ Allbery schrieb:
Sven Mueller [EMAIL PROTECTED] writes:
If it is created on install, why is it in the packages filelist in the
first place? Other packages also generate (supposedly architecture
dependend) files during postinst, without shipping a placeholder in the
.deb - so what is
74 matches
Mail list logo