Re: Packages with incomplete .md5sum files
On Dienstag, 15. Januar 2013, Julien Cristau wrote: > There's no requirement for md5sums files in the first place AFAIK. for reference, this is #572571. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201301181250.06541.hol...@layer-acht.org
Re: Packages with incomplete .md5sum files
2013/1/15 Andreas Beckmann : > On 2013-01-15 10:29, Julien Cristau wrote: >> There's no requirement for md5sums files in the first place AFAIK. How >> are incomplete md5sums worse than no md5sums? If anything this stuff >> should be minor IMO. > > If a package is shipping no .md5sum at all, it will be created by dpkg > at installation time. > > A partial .md5sum however will not be "completed". This hides some > shipped files from debsums, defeating its purpose. > > I'm pretty sure modifying *any* shipped files in the maintainer scripts > should be forbidden, although I didn't find a policy reference for this > (this is made explicit for conffiles, what about "normal" files?). > Packages violating this and hiding the fact by excluding the modified > files from .md5sums ... should be fixed. There are some cases where debsums should IMHO consider things differently. In particular I mean those corresponding to files shipped under "/var" with "d41d8cd98f00b204e9800998ecf8427e" md5sum (empty files created with touch). These are clearly placeholders, being dpkg used to remove/reset them instead of doing things from maintainer scripts. Whether that makes sense or not depends on the package. -- Agustin -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cahmxk7jujr7qhuavqcqdylfsuyzext-vu6dtu1ndlzsq20y...@mail.gmail.com
Re: Packages with incomplete .md5sum files
On Tue, Jan 15, 2013 at 10:46:46 +0100, Sven Joachim wrote: > On 2013-01-15 10:29 +0100, Julien Cristau wrote: > > > There's no requirement for md5sums files in the first place AFAIK. How > > are incomplete md5sums worse than no md5sums? > > If there is no md5sums file, dpkg (as of version 1.16.3) creates it at > unpack time. > That sounds like a dpkg misfeature. Cheers, Julien signature.asc Description: Digital signature
Re: Packages with incomplete .md5sum files
* Andreas Beckmann [130115 11:20]: > On 2013-01-15 10:29, Julien Cristau wrote: > > There's no requirement for md5sums files in the first place AFAIK. How > > are incomplete md5sums worse than no md5sums? If anything this stuff > > should be minor IMO. > > If a package is shipping no .md5sum at all, it will be created by dpkg > at installation time. > > A partial .md5sum however will not be "completed". This hides some > shipped files from debsums, defeating its purpose. That depends what the purpose is supposed to be. Having debsums by default create fake .md5sum files for packages not shipping them defeats the purpose md5sums is most useful for: to check that the files in your filesystem are correct and where not corrupted by faulty hardware. (As in my experience almost all of those problems happen when writing to the disk (by faulty memory, faulty busses, overheated mainboards or CPUs) and not to content on the disc itself). So while incomplete .md5sums are definitely not nice and worse then complete files, I do not see how that could be worse than not having any .md5sum files. Bernhard R. Link -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130115215008.ga3...@client.brlink.eu
Re: Packages with incomplete .md5sum files
On Tue, Jan 15, 2013 at 11:19:36 +0100, Andreas Beckmann wrote: > I'm pretty sure modifying *any* shipped files in the maintainer scripts > should be forbidden, although I didn't find a policy reference for this > (this is made explicit for conffiles, what about "normal" files?). > Packages violating this and hiding the fact by excluding the modified > files from .md5sums ... should be fixed. > I'm not saying they shouldn't be fixed, just that IMO the missing md5sum is minor. Cheers, Julien signature.asc Description: Digital signature
Re: Packages with incomplete .md5sum files
On 2013-01-15 10:29, Julien Cristau wrote: > There's no requirement for md5sums files in the first place AFAIK. How > are incomplete md5sums worse than no md5sums? If anything this stuff > should be minor IMO. If a package is shipping no .md5sum at all, it will be created by dpkg at installation time. A partial .md5sum however will not be "completed". This hides some shipped files from debsums, defeating its purpose. I'm pretty sure modifying *any* shipped files in the maintainer scripts should be forbidden, although I didn't find a policy reference for this (this is made explicit for conffiles, what about "normal" files?). Packages violating this and hiding the fact by excluding the modified files from .md5sums ... should be fixed. Andreas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50f52d38.1010...@abeckmann.de
Re: Packages with incomplete .md5sum files
On 2013-01-15 10:29 +0100, Julien Cristau wrote: > There's no requirement for md5sums files in the first place AFAIK. How > are incomplete md5sums worse than no md5sums? If there is no md5sums file, dpkg (as of version 1.16.3) creates it at unpack time. Cheers, Sven -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87hami22yh@turtle.gmx.de
Re: Packages with incomplete .md5sum files
On Mon, Jan 14, 2013 at 13:10:24 +0100, Holger Levsen wrote: > this I'd probably file as serious, not having checksums for files in /usr > seems worse. But then, the same reasoning as for the above bugs applies, so > maybe important is better after all. > There's no requirement for md5sums files in the first place AFAIK. How are incomplete md5sums worse than no md5sums? If anything this stuff should be minor IMO. Cheers, Julien signature.asc Description: Digital signature
Re: Packages with incomplete .md5sum files
[Holger Levsen] > Hi Andreas, > > On Donnerstag, 10. Januar 2013, Andreas Beckmann wrote: > > Hi, > > > > the following packages from wheezy ship files that are excluded from > > the .md5sums file: > > > > gridsite: FILE WITHOUT MD5SUM /var/lib/gridsite/.gacl > > gridsite: FILE WITHOUT MD5SUM /var/lib/gridsite/gridsitefoot.txt > > gridsite: FILE WITHOUT MD5SUM /var/lib/gridsite/gridsitehead.txt [...] > those I'd file with severity "important" - sure it's a policy violation, > surely it's bad, Policy violation? Where? I don't see anything about 'md5sums' in Policy. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130115092337.gq4...@p12n.org
Re: Packages with incomplete .md5sum files
On Jan 14, 2013 12:10 PM, "Holger Levsen" wrote: > > Hi Andreas, > > On Donnerstag, 10. Januar 2013, Andreas Beckmann wrote: > > Hi, > > > > the following packages from wheezy ship files that are excluded from > > the .md5sums file: > > [snip] > > rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/backdoorports.dat [Snip] > > rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/mirrors.dat > > rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/programs_bad.dat > > rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/suspscan.dat > > those I'd file with severity "important" - sure it's a policy violation, > surely it's bad, but I wouldnt want to delay the release for these. (And I > also suggest to fix those for wheezy, but thats a slightly different topic ;) > [snip] > this I'd probably file as serious, not having checksums for files in /usr > seems worse. But then, the same reasoning as for the above bugs applies, so > maybe important is better after all. > [snip] > important as well. > > Thanks for your work on this! > > > cheers, > Holger Not a debian developer but these 4 files I would rather put under security - after all something could have changed the contents of these files rendering rkhunter rather useless with respect to detecting some rootkits. I agree with the rest. darkestkhan
Re: Packages with incomplete .md5sum files
On Thu, Jan 10, 2013 at 02:13:46PM -0500, Michael Gilbert wrote: > On Thu, Jan 10, 2013 at 3:21 AM, Andreas Beckmann wrote: > > Excluding shipped files from .md5sums looks seriously wrong for files > > in /usr and at least questionable in /var/lib. > What is so "serious" about that? Please no more rc mbf's. FWIW MBF, especially of RC severity, are to be discussed here first. And the RMs can always out to not consider the issue severe enough for the upcoming release, i.e. authorize the use of $release-ignore when doing the filing. If we agree that something is in principle a serious issue, we should file it as such. Kind regards Philipp Kern -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130114142745.ga16...@hub.kern.lc
Re: Packages with incomplete .md5sum files
Hi Andreas, On Donnerstag, 10. Januar 2013, Andreas Beckmann wrote: > Hi, > > the following packages from wheezy ship files that are excluded from > the .md5sums file: > > gridsite: FILE WITHOUT MD5SUM /var/lib/gridsite/.gacl > gridsite: FILE WITHOUT MD5SUM /var/lib/gridsite/gridsitefoot.txt > gridsite: FILE WITHOUT MD5SUM /var/lib/gridsite/gridsitehead.txt > libreoffice-common: FILE WITHOUT MD5SUM > /var/lib/libreoffice/share/config/javasettingsunopkginstall.xml > nfs-common: FILE WITHOUT MD5SUM /var/lib/nfs/state > nfs-kernel-server: FILE WITHOUT MD5SUM /var/lib/nfs/etab > nfs-kernel-server: FILE WITHOUT MD5SUM /var/lib/nfs/rmtab > nfs-kernel-server: FILE WITHOUT MD5SUM /var/lib/nfs/xtab > rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/backdoorports.dat > rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/i18n/cn > rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/i18n/de > rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/i18n/en > rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/i18n/zh > rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/i18n/zh.utf8 > rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/mirrors.dat > rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/programs_bad.dat > rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/suspscan.dat those I'd file with severity "important" - sure it's a policy violation, surely it's bad, but I wouldnt want to delay the release for these. (And I also suggest to fix those for wheezy, but thats a slightly different topic ;) > r-base-core-dbg: FILE WITHOUT MD5SUM /usr/lib/debug/usr/bin/Rscript > r-base-core-dbg: FILE WITHOUT MD5SUM /usr/lib/debug/usr/lib/R/bin/Rscript > r-base-core: FILE WITHOUT MD5SUM /usr/bin/R > r-base-core: FILE WITHOUT MD5SUM /usr/bin/Rscript > r-base-core: FILE WITHOUT MD5SUM /usr/lib/R/bin/Rscript > r-base-core: FILE WITHOUT MD5SUM /usr/lib/R/etc/Renviron.ucf > r-base-core: FILE WITHOUT MD5SUM /usr/share/R/doc/html/packages.html this I'd probably file as serious, not having checksums for files in /usr seems worse. But then, the same reasoning as for the above bugs applies, so maybe important is better after all. > For sid there are additionally: > > pcp: FILE WITHOUT MD5SUM /var/lib/pcp/config/pmie/config.default > pcp: FILE WITHOUT MD5SUM /var/lib/pcp/config/pmlogger/config.default > pcp: FILE WITHOUT MD5SUM /var/lib/pcp/config/pmlogger/crontab important as well. Thanks for your work on this! cheers, Holger -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201301141310.24799.hol...@layer-acht.org
Re: Packages with incomplete .md5sum files
On Thu, Jan 10, 2013 at 02:13:46PM -0500, Michael Gilbert wrote: > On Thu, Jan 10, 2013 at 3:21 AM, Andreas Beckmann wrote: > > Excluding shipped files from .md5sums looks seriously wrong for files > > in /usr and at least questionable in /var/lib. > > What is so "serious" about that? In itself it may not be a huge problem, but it's usually a good indicator of another, more serious, bug. > Please no more rc mbf's. Would you rather we shipped packages that we know are broken, but that we don't want to fix because we want "no more rc mbf's"? I question that logic. -- Copyshops should do vouchers. So that next time some bureaucracy requires you to mail a form in triplicate, you can mail it just once, add a voucher, and save on postage. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130112103157.gi25...@grep.be
Re: Packages with incomplete .md5sum files
On Thu, Jan 10, 2013 at 3:21 AM, Andreas Beckmann wrote: > Excluding shipped files from .md5sums looks seriously wrong for files > in /usr and at least questionable in /var/lib. What is so "serious" about that? Please no more rc mbf's. Thanks, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=MMB15OkDgtvprN=sjb_tsvynz5xom8vqodukycjvqn...@mail.gmail.com