Makepkg checking md5sums

ianneub · 2003-09-09 17:54:54

Makepkg seems to check the md5sums of downloaded files after it has already extracted them. Shouldn't this be done before that?

Xentac · 2003-09-09 20:15:35

Apart from time wasted waiting, what other problem is there?

ianneub · 2003-09-09 20:36:07

Xentac wrote:

Apart from time wasted waiting, what other problem is there?

Well it leaves the files unpacked, if it didn't pass md5 then it shouldnt be on the computer.

Xentac · 2003-09-09 20:38:11

Why?

ianneub · 2003-09-09 20:45:13

Because you can't trust whatever was downloaded. I suppose that since makepkg doesn't continue to run its not too bad, but it just doesn't "feel" right to have code that could be dangerous sitting about a box.

edit: spell check

Xentac · 2003-09-09 20:48:26

Hehehe, dangerous is a relative term... after all, rm can be pretty dangerous...

Anyway, I guess my point is that you're already not trusting the code, so delete it. What if you wanted to check the changes? Or, heaven forbid, you wrote the original file, then modified it and forgot to update the md5 hash. Suddenly your file is gone! That would definatly suck.

ianneub · 2003-09-09 21:04:16

Yah that would suck lol. But it would only need to delete (or just not unpack) what it just untar'ed (that overwrote it all anyway).

Xentac · 2003-09-09 21:09:41

I'm not sure what happens after md5 hashes fail, but try 'makepkg -c'. Traditionally it cleaned up the pkg and src (read: removed) directories after a build. Looking through the makepkg code, when makepkg fails it just 'exit 1's, so that won't actually work.

ianneub · 2003-09-09 21:17:36

Yah if your in ABS then you should know what your doing right? I'm just trying to be anal and overanalyze everything

sarah31 · 2003-09-09 22:22:21

i think you miss the point of arch's md5sum function. the md5sums are generated by us developers so obviously if the source is lethal for us then likley we would not even bother generating a md5sum for the source.

if you don't trust any source then ...well... why use a computer. exploits will happen and will be closed. most people invovled with open source try their best to make sure all source is reliable. bad code in the open source community is quickly left behind.

Xentac · 2003-09-14 04:35:04

Good call there. I'll bring up the issue with apeiro and see what he has to say.

apeiro · 2003-09-14 18:37:29

micah wrote:

There is a real problem that I ran into yesterday. I'm new to Arch Linux, though,
so maybe I'm missing something. When a gzipped (not tarred) file is extracted,
the original file is removed. So if one of the files you download is a gzipped patch
or, in my case, a gzipped shar, then the md5sum check always fails because the
downloaded file is removed before the check is performed.

Good point. That will be fixed in the next release.

Arch Linux

#1 2003-09-09 17:54:54

Makepkg checking md5sums

#2 2003-09-09 20:15:35

Re: Makepkg checking md5sums

#3 2003-09-09 20:36:07

Re: Makepkg checking md5sums

#4 2003-09-09 20:38:11

Re: Makepkg checking md5sums

#5 2003-09-09 20:45:13

Re: Makepkg checking md5sums

#6 2003-09-09 20:48:26

Re: Makepkg checking md5sums

#7 2003-09-09 21:04:16

Re: Makepkg checking md5sums

#8 2003-09-09 21:09:41

Re: Makepkg checking md5sums

#9 2003-09-09 21:17:36

Re: Makepkg checking md5sums

#10 2003-09-09 22:22:21

Re: Makepkg checking md5sums

#11 2003-09-14 04:35:04

Re: Makepkg checking md5sums

#12 2003-09-14 18:37:29

Re: Makepkg checking md5sums

Board footer