Re: Packages with incomplete .md5sum files
On Dienstag, 15. Januar 2013, Julien Cristau wrote: There's no requirement for md5sums files in the first place AFAIK. for reference, this is #572571. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201301181250.06541.hol...@layer-acht.org
Re: Packages with incomplete .md5sum files
2013/1/15 Andreas Beckmann deb...@abeckmann.de: On 2013-01-15 10:29, Julien Cristau wrote: There's no requirement for md5sums files in the first place AFAIK. How are incomplete md5sums worse than no md5sums? If anything this stuff should be minor IMO. If a package is shipping no .md5sum at all, it will be created by dpkg at installation time. A partial .md5sum however will not be completed. This hides some shipped files from debsums, defeating its purpose. I'm pretty sure modifying *any* shipped files in the maintainer scripts should be forbidden, although I didn't find a policy reference for this (this is made explicit for conffiles, what about normal files?). Packages violating this and hiding the fact by excluding the modified files from .md5sums ... should be fixed. There are some cases where debsums should IMHO consider things differently. In particular I mean those corresponding to files shipped under /var with d41d8cd98f00b204e9800998ecf8427e md5sum (empty files created with touch). These are clearly placeholders, being dpkg used to remove/reset them instead of doing things from maintainer scripts. Whether that makes sense or not depends on the package. -- Agustin -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cahmxk7jujr7qhuavqcqdylfsuyzext-vu6dtu1ndlzsq20y...@mail.gmail.com
Re: Packages with incomplete .md5sum files
[Holger Levsen] Hi Andreas, On Donnerstag, 10. Januar 2013, Andreas Beckmann wrote: Hi, the following packages from wheezy ship files that are excluded from the .md5sums file: gridsite: FILE WITHOUT MD5SUM /var/lib/gridsite/.gacl gridsite: FILE WITHOUT MD5SUM /var/lib/gridsite/gridsitefoot.txt gridsite: FILE WITHOUT MD5SUM /var/lib/gridsite/gridsitehead.txt [...] those I'd file with severity important - sure it's a policy violation, surely it's bad, Policy violation? Where? I don't see anything about 'md5sums' in Policy. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130115092337.gq4...@p12n.org
Re: Packages with incomplete .md5sum files
On Mon, Jan 14, 2013 at 13:10:24 +0100, Holger Levsen wrote: this I'd probably file as serious, not having checksums for files in /usr seems worse. But then, the same reasoning as for the above bugs applies, so maybe important is better after all. There's no requirement for md5sums files in the first place AFAIK. How are incomplete md5sums worse than no md5sums? If anything this stuff should be minor IMO. Cheers, Julien signature.asc Description: Digital signature
Re: Packages with incomplete .md5sum files
On 2013-01-15 10:29 +0100, Julien Cristau wrote: There's no requirement for md5sums files in the first place AFAIK. How are incomplete md5sums worse than no md5sums? If there is no md5sums file, dpkg (as of version 1.16.3) creates it at unpack time. Cheers, Sven -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87hami22yh@turtle.gmx.de
Re: Packages with incomplete .md5sum files
On 2013-01-15 10:29, Julien Cristau wrote: There's no requirement for md5sums files in the first place AFAIK. How are incomplete md5sums worse than no md5sums? If anything this stuff should be minor IMO. If a package is shipping no .md5sum at all, it will be created by dpkg at installation time. A partial .md5sum however will not be completed. This hides some shipped files from debsums, defeating its purpose. I'm pretty sure modifying *any* shipped files in the maintainer scripts should be forbidden, although I didn't find a policy reference for this (this is made explicit for conffiles, what about normal files?). Packages violating this and hiding the fact by excluding the modified files from .md5sums ... should be fixed. Andreas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50f52d38.1010...@abeckmann.de
Re: Packages with incomplete .md5sum files
On Tue, Jan 15, 2013 at 11:19:36 +0100, Andreas Beckmann wrote: I'm pretty sure modifying *any* shipped files in the maintainer scripts should be forbidden, although I didn't find a policy reference for this (this is made explicit for conffiles, what about normal files?). Packages violating this and hiding the fact by excluding the modified files from .md5sums ... should be fixed. I'm not saying they shouldn't be fixed, just that IMO the missing md5sum is minor. Cheers, Julien signature.asc Description: Digital signature
Re: Packages with incomplete .md5sum files
* Andreas Beckmann deb...@abeckmann.de [130115 11:20]: On 2013-01-15 10:29, Julien Cristau wrote: There's no requirement for md5sums files in the first place AFAIK. How are incomplete md5sums worse than no md5sums? If anything this stuff should be minor IMO. If a package is shipping no .md5sum at all, it will be created by dpkg at installation time. A partial .md5sum however will not be completed. This hides some shipped files from debsums, defeating its purpose. That depends what the purpose is supposed to be. Having debsums by default create fake .md5sum files for packages not shipping them defeats the purpose md5sums is most useful for: to check that the files in your filesystem are correct and where not corrupted by faulty hardware. (As in my experience almost all of those problems happen when writing to the disk (by faulty memory, faulty busses, overheated mainboards or CPUs) and not to content on the disc itself). So while incomplete .md5sums are definitely not nice and worse then complete files, I do not see how that could be worse than not having any .md5sum files. Bernhard R. Link -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130115215008.ga3...@client.brlink.eu
Re: Packages with incomplete .md5sum files
On Tue, Jan 15, 2013 at 10:46:46 +0100, Sven Joachim wrote: On 2013-01-15 10:29 +0100, Julien Cristau wrote: There's no requirement for md5sums files in the first place AFAIK. How are incomplete md5sums worse than no md5sums? If there is no md5sums file, dpkg (as of version 1.16.3) creates it at unpack time. That sounds like a dpkg misfeature. Cheers, Julien signature.asc Description: Digital signature
Re: Packages with incomplete .md5sum files
Hi Andreas, On Donnerstag, 10. Januar 2013, Andreas Beckmann wrote: Hi, the following packages from wheezy ship files that are excluded from the .md5sums file: gridsite: FILE WITHOUT MD5SUM /var/lib/gridsite/.gacl gridsite: FILE WITHOUT MD5SUM /var/lib/gridsite/gridsitefoot.txt gridsite: FILE WITHOUT MD5SUM /var/lib/gridsite/gridsitehead.txt libreoffice-common: FILE WITHOUT MD5SUM /var/lib/libreoffice/share/config/javasettingsunopkginstall.xml nfs-common: FILE WITHOUT MD5SUM /var/lib/nfs/state nfs-kernel-server: FILE WITHOUT MD5SUM /var/lib/nfs/etab nfs-kernel-server: FILE WITHOUT MD5SUM /var/lib/nfs/rmtab nfs-kernel-server: FILE WITHOUT MD5SUM /var/lib/nfs/xtab rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/backdoorports.dat rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/i18n/cn rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/i18n/de rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/i18n/en rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/i18n/zh rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/i18n/zh.utf8 rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/mirrors.dat rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/programs_bad.dat rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/suspscan.dat those I'd file with severity important - sure it's a policy violation, surely it's bad, but I wouldnt want to delay the release for these. (And I also suggest to fix those for wheezy, but thats a slightly different topic ;) r-base-core-dbg: FILE WITHOUT MD5SUM /usr/lib/debug/usr/bin/Rscript r-base-core-dbg: FILE WITHOUT MD5SUM /usr/lib/debug/usr/lib/R/bin/Rscript r-base-core: FILE WITHOUT MD5SUM /usr/bin/R r-base-core: FILE WITHOUT MD5SUM /usr/bin/Rscript r-base-core: FILE WITHOUT MD5SUM /usr/lib/R/bin/Rscript r-base-core: FILE WITHOUT MD5SUM /usr/lib/R/etc/Renviron.ucf r-base-core: FILE WITHOUT MD5SUM /usr/share/R/doc/html/packages.html this I'd probably file as serious, not having checksums for files in /usr seems worse. But then, the same reasoning as for the above bugs applies, so maybe important is better after all. For sid there are additionally: pcp: FILE WITHOUT MD5SUM /var/lib/pcp/config/pmie/config.default pcp: FILE WITHOUT MD5SUM /var/lib/pcp/config/pmlogger/config.default pcp: FILE WITHOUT MD5SUM /var/lib/pcp/config/pmlogger/crontab important as well. Thanks for your work on this! cheers, Holger -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201301141310.24799.hol...@layer-acht.org
Re: Packages with incomplete .md5sum files
On Thu, Jan 10, 2013 at 02:13:46PM -0500, Michael Gilbert wrote: On Thu, Jan 10, 2013 at 3:21 AM, Andreas Beckmann wrote: Excluding shipped files from .md5sums looks seriously wrong for files in /usr and at least questionable in /var/lib. What is so serious about that? Please no more rc mbf's. FWIW MBF, especially of RC severity, are to be discussed here first. And the RMs can always out to not consider the issue severe enough for the upcoming release, i.e. authorize the use of $release-ignore when doing the filing. If we agree that something is in principle a serious issue, we should file it as such. Kind regards Philipp Kern -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130114142745.ga16...@hub.kern.lc
Re: Packages with incomplete .md5sum files
On Jan 14, 2013 12:10 PM, Holger Levsen hol...@layer-acht.org wrote: Hi Andreas, On Donnerstag, 10. Januar 2013, Andreas Beckmann wrote: Hi, the following packages from wheezy ship files that are excluded from the .md5sums file: [snip] rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/backdoorports.dat [Snip] rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/mirrors.dat rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/programs_bad.dat rkhunter: FILE WITHOUT MD5SUM /var/lib/rkhunter/db/suspscan.dat those I'd file with severity important - sure it's a policy violation, surely it's bad, but I wouldnt want to delay the release for these. (And I also suggest to fix those for wheezy, but thats a slightly different topic ;) [snip] this I'd probably file as serious, not having checksums for files in /usr seems worse. But then, the same reasoning as for the above bugs applies, so maybe important is better after all. [snip] important as well. Thanks for your work on this! cheers, Holger Not a debian developer but these 4 files I would rather put under security - after all something could have changed the contents of these files rendering rkhunter rather useless with respect to detecting some rootkits. I agree with the rest. darkestkhan
Re: Packages with incomplete .md5sum files
On Thu, Jan 10, 2013 at 02:13:46PM -0500, Michael Gilbert wrote: On Thu, Jan 10, 2013 at 3:21 AM, Andreas Beckmann wrote: Excluding shipped files from .md5sums looks seriously wrong for files in /usr and at least questionable in /var/lib. What is so serious about that? In itself it may not be a huge problem, but it's usually a good indicator of another, more serious, bug. Please no more rc mbf's. Would you rather we shipped packages that we know are broken, but that we don't want to fix because we want no more rc mbf's? I question that logic. -- Copyshops should do vouchers. So that next time some bureaucracy requires you to mail a form in triplicate, you can mail it just once, add a voucher, and save on postage. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130112103157.gi25...@grep.be
Re: Packages with incomplete .md5sum files
On Thu, Jan 10, 2013 at 3:21 AM, Andreas Beckmann wrote: Excluding shipped files from .md5sums looks seriously wrong for files in /usr and at least questionable in /var/lib. What is so serious about that? Please no more rc mbf's. Thanks, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=MMB15OkDgtvprN=sjb_tsvynz5xom8vqodukycjvqn...@mail.gmail.com