[Rpm-metadata] Re: Invalid checksums in repodata

Jeff Johnson n3npq at mac.com
Wed Oct 11 13:48:31 UTC 2006 

On Oct 11, 2006, at 8:59 AM, Mark McLoughlin wrote:

> Hi,
> 	(Context here is that createrepo created invalid metadata after  
> package
> signing - it reused cached csums from before the package signing)
>
> On Wed, 2006-10-11 at 13:42 +0100, Mark McLoughlin wrote:
>> On Wed, 2006-10-11 at 07:53 -0400, Jesse Keating wrote:
>>> On Wednesday 11 October 2006 07:33, Mark McLoughlin wrote:
>
>>>>         I had a little look through the logs and the problem  
>>>> seems to be
>>>> that the checksum cache in /mnt/redhat/scripts/distill-cache is  
>>>> keyed off
>>>> the sha1header which is the same whether the package is signed  
>>>> or not.
>>>> Looks like we need a different cache for signed packages.
>>>
>>> Arg, yeah.  The caching is horrible right now.  I'll fix it and  
>>> spin again.
>>
>> 	It should be fixed in latest createrepo with the attached patch,  
>> FWIW.
>
> 	Wait ...
>
>   https://lists.dulug.duke.edu/pipermail/rpm-metadata/2006-June/ 
> 000656.html
>
> 	SIGMD5 is "is invariant to signing events"? Sigh, that's what we  
> don't
> want :-)
>
> 	The csum cache should really be keyed off the signature since the
> signature affects the csum - looks like Han's original patch:
>
>   https://lists.dulug.duke.edu/pipermail/rpm-metadata/2006-June/ 
> 000655.html
>
> 	was more like what's needed.
>

All depends on what you want. The contents of the header+payload do  
not change when signed,
and the installed files on end-user machines do not change (and  
perhaps unnecessary downloads
can be avoided) when packages are signed or resigned.

Searching various header tags and using a hash on one of several tag  
values in order to attach a unique
identifier to a package is rather arbitrary, clunky and cumbersome.  
That was the context of my original
comment.

(aside) And I can almost guarantee that the existing signature tag  
hierarchy will be scrapped somewhen
in order to
    1) support multiple signatures
	The rationale is this: The Red Hat package repository has always  
used hardlinks to minimize
          storage across multiple (like 10-20) distro trees. That  
means that a signing event ends up needing
          gigabytes of extra storage because previously identical  
files can no longer be hardlinked. One
	 way out of the mess would be to permit multiple signatures and  
choose which signature (categories
	like "beta" and "official" are represented by different signatures)  
applies when the package is resident
	in rawhide or FC or RHEL.
    2) support X.509 signatures.

So basing a unique tag assignment on digests of one of several tag  
values is likely to break.

Use a digest on the *.rpm is you truly want to detect any change  
whatsoever to the package file.

73 de Jeff

More information about the Rpm-metadata mailing list