You are not logged in.

#1 2003-09-09 17:54:54

ianneub
Member
From: HB, CA, USA
Registered: 2003-09-03
Posts: 25
Website

Makepkg checking md5sums

Makepkg seems to check the md5sums of downloaded files after it has already extracted them. Shouldn't this be done before that?


cool sig line

Offline

#2 2003-09-09 20:15:35

Xentac
Forum Fellow
From: Victoria, BC
Registered: 2003-01-17
Posts: 1,797
Website

Re: Makepkg checking md5sums

Apart from time wasted waiting, what other problem is there?


I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal

Offline

#3 2003-09-09 20:36:07

ianneub
Member
From: HB, CA, USA
Registered: 2003-09-03
Posts: 25
Website

Re: Makepkg checking md5sums

Xentac wrote:

Apart from time wasted waiting, what other problem is there?

Well it leaves the files unpacked, if it didn't pass md5 then it shouldnt be on the computer.


cool sig line

Offline

#4 2003-09-09 20:38:11

Xentac
Forum Fellow
From: Victoria, BC
Registered: 2003-01-17
Posts: 1,797
Website

Re: Makepkg checking md5sums

Why?


I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal

Offline

#5 2003-09-09 20:45:13

ianneub
Member
From: HB, CA, USA
Registered: 2003-09-03
Posts: 25
Website

Re: Makepkg checking md5sums

Because you can't trust whatever was downloaded. I suppose that since makepkg doesn't continue to run its not too bad, but it just doesn't "feel" right to have code that could be dangerous sitting about a box.

edit: spell check


cool sig line

Offline

#6 2003-09-09 20:48:26

Xentac
Forum Fellow
From: Victoria, BC
Registered: 2003-01-17
Posts: 1,797
Website

Re: Makepkg checking md5sums

Hehehe, dangerous is a relative term... after all, rm can be pretty dangerous...

Anyway, I guess my point is that you're already not trusting the code, so delete it.  What if you wanted to check the changes?  Or, heaven forbid, you wrote the original file, then modified it and forgot to update the md5 hash.  Suddenly your file is gone!  That would definatly suck.


I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal

Offline

#7 2003-09-09 21:04:16

ianneub
Member
From: HB, CA, USA
Registered: 2003-09-03
Posts: 25
Website

Re: Makepkg checking md5sums

Yah that would suck lol. But it would only need to delete (or just not unpack) what it just untar'ed (that overwrote it all anyway).


cool sig line

Offline

#8 2003-09-09 21:09:41

Xentac
Forum Fellow
From: Victoria, BC
Registered: 2003-01-17
Posts: 1,797
Website

Re: Makepkg checking md5sums

I'm not sure what happens after md5 hashes fail, but try 'makepkg -c'.  Traditionally it cleaned up the pkg and src (read: removed) directories after a build.  Looking through the makepkg code, when makepkg fails it just 'exit 1's, so that won't actually work.


I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal

Offline

#9 2003-09-09 21:17:36

ianneub
Member
From: HB, CA, USA
Registered: 2003-09-03
Posts: 25
Website

Re: Makepkg checking md5sums

Yah if your in ABS then you should know what your doing right? smile I'm just trying to be anal and overanalyze everything


cool sig line

Offline

#10 2003-09-09 22:22:21

sarah31
Member
From: Middle of Canada
Registered: 2002-08-20
Posts: 2,975
Website

Re: Makepkg checking md5sums

i think you miss the point of arch's md5sum function. the md5sums are generated by us developers so obviously if the source is lethal for us then likley we would not even bother generating a md5sum for the source.

if you don't trust any source then ...well... why use a computer. exploits will happen and will be closed. most people invovled with open source try their best to make sure all source is reliable. bad code in the open source community is quickly left behind.


AKA uknowme

I am not your friend

Offline

#11 2003-09-14 04:35:04

Xentac
Forum Fellow
From: Victoria, BC
Registered: 2003-01-17
Posts: 1,797
Website

Re: Makepkg checking md5sums

Good call there.  I'll bring up the issue with apeiro and see what he has to say.


I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal

Offline

#12 2003-09-14 18:37:29

apeiro
Daddy
From: Victoria, BC, Canada
Registered: 2002-08-12
Posts: 771
Website

Re: Makepkg checking md5sums

micah wrote:

There is a real problem that I ran into yesterday.  I'm new to Arch Linux, though,
so maybe I'm missing something.  When a gzipped (not tarred) file is extracted,
the original file is removed.  So if one of the files you download is a gzipped patch
or, in my case, a gzipped shar, then the md5sum check always fails because the
downloaded file is removed before the check is performed.

Good point.  That will be fixed in the next release.

Offline

Board footer

Powered by FluxBB