Hi all, I want to know that is there really any compulsion on posting md5sum instead sha1sum? Review Guidelines said "Reviewers should use md5sum for this task." I have started posting sha1sum for source in package review.
Regards, Parag.
On 10/12/2009 11:06 PM, Parag N(पराग़) wrote:
Hi all, I want to know that is there really any compulsion on posting md5sum instead sha1sum? Review Guidelines said "Reviewers should use md5sum for this task." I have started posting sha1sum for source in package review.
No. At the time they were written, md5sum was the norm, no more, no less.
~spot
On Tue, 2009-10-13 at 08:36 +0530, Parag N(पराग़) wrote:
Hi all, I want to know that is there really any compulsion on posting md5sum instead sha1sum? Review Guidelines said "Reviewers should use md5sum for this task." I have started posting sha1sum for source in package review.
That part of the review guidelines has always struck me as bizarre. After all, wouldn't it seem even better to compare the actual tarballs with each other, byte-by-byte, than relying on a checksum ?
On 10/13/2009 07:13 AM, Matthias Clasen wrote:
On Tue, 2009-10-13 at 08:36 +0530, Parag N(पराग़) wrote:
Hi all, I want to know that is there really any compulsion on posting md5sum instead sha1sum? Review Guidelines said "Reviewers should use md5sum for this task." I have started posting sha1sum for source in package review.
That part of the review guidelines has always struck me as bizarre. After all, wouldn't it seem even better to compare the actual tarballs with each other, byte-by-byte, than relying on a checksum ?
Well, this is only one part of the story.
You are right, to verify a submitted package's contents against "external sources" (e.g. upstream), md5sums don't provide more information than a "byte-by-byte" comparison would provide [1].
But there is another aspect: Fedora's applies md5sums as their checksums for "binaries" in its CVS (cf. a file named "sources" in packages checked out from CVS).
I.e. to be able to verify whether the files from a "just imported *.src.rpm" matches with those inside of the *.src.rpm having been reviewed, a review would have to contain md5sums.
=> Unless CVS changes to apply sha1sums, sha1sums in reviews would void the latter point.
Ralf
[1] In cases upstreams ship "detached md5sum files" (many upstreams do), it's common practice to consider a match between the md5sums from the upstream md5sum file and those generated from the files inside of an src.rpm to be sufficient. Whether md5sums are safe enough to justify this amount of trust, is a different issue.
On Mon, Oct 12, 2009 at 10:13 PM, Matthias Clasen mclasen@redhat.com wrote:
On Tue, 2009-10-13 at 08:36 +0530, Parag N(पराग़) wrote:
Hi all, I want to know that is there really any compulsion on posting md5sum instead sha1sum? Review Guidelines said "Reviewers should use md5sum for this task." I have started posting sha1sum for source in package review.
That part of the review guidelines has always struck me as bizarre. After all, wouldn't it seem even better to compare the actual tarballs with each other, byte-by-byte, than relying on a checksum ?
Um. An easily reproducible, cryptographically strong checksum? :)
-Chris
Le Mer 14 octobre 2009 05:47, Chris Weyl a écrit :
On Mon, Oct 12, 2009 at 10:13 PM, Matthias Clasen mclasen@redhat.com wrote:
That part of the review guidelines has always struck me as bizarre. After all, wouldn't it seem even better to compare the actual tarballs with each other, byte-by-byte, than relying on a checksum ?
Um. An easily reproducible, cryptographically strong checksum? :)
This is one test I never do, nothing will stop the packager from changing the packaged archive as soon as the review is finished, so the whole thing is a major waste of time for everyone involved IMHO (as is posting specs in addition to SRPMs BTW.
On 10/14/2009 09:55 AM, Nicolas Mailhot wrote:
Le Mer 14 octobre 2009 05:47, Chris Weyl a écrit :
On Mon, Oct 12, 2009 at 10:13 PM, Matthias Clasenmclasen@redhat.com wrote:
That part of the review guidelines has always struck me as bizarre. After all, wouldn't it seem even better to compare the actual tarballs with each other, byte-by-byte, than relying on a checksum ?
Um. An easily reproducible, cryptographically strong checksum? :)
This is one test I never do, nothing will stop the packager from changing the packaged archive as soon as the review is finished,
ACK.
so the whole thing is a major waste of time for everyone involved IMHO
Agreed.
(as is posting specs in addition to SRPMs BTW.
Not agreed. Many packaging issues can be easily be found in specs, without downloading with the actual *.src.rpm.
Ralf
Ralf Corsepius wrote:
On 10/14/2009 09:55 AM, Nicolas Mailhot wrote:
Le Mer 14 octobre 2009 05:47, Chris Weyl a écrit :
On Mon, Oct 12, 2009 at 10:13 PM, Matthias Clasenmclasen@redhat.com wrote:
That part of the review guidelines has always struck me as bizarre. After all, wouldn't it seem even better to compare the actual tarballs with each other, byte-by-byte, than relying on a checksum ?
Um. An easily reproducible, cryptographically strong checksum? :)
This is one test I never do, nothing will stop the packager from changing the packaged archive as soon as the review is finished,
ACK.
so the whole thing is a major waste of time for everyone involved IMHO
Agreed.
Sort of. I think of it as CYA for the reviewer. If something bad slips in, at least it's documented that it was good when I checked it, and the responsibility then falls on the packager.
(as is posting specs in addition to SRPMs BTW.
Not agreed. Many packaging issues can be easily be found in specs, without downloading with the actual *.src.rpm.
True. I always wget both, install the SRPM and diff the specs, and ask about any differences if the packager goofed. Though I certainly see your point, especially for extremely large pacakges, like games with huge globs of data (i.e. wesnoth), etc.
Ralf
-- Fedora-packaging mailing list Fedora-packaging@redhat.com https://www.redhat.com/mailman/listinfo/fedora-packaging
On 10/14/2009 03:06 PM, Jon Ciesla wrote:
Ralf Corsepius wrote:
On 10/14/2009 09:55 AM, Nicolas Mailhot wrote:
(as is posting specs in addition to SRPMs BTW.
Not agreed. Many packaging issues can be easily be found in specs, without downloading with the actual *.src.rpm.
True. I always wget both, install the SRPM and diff the specs, and ask about any differences if the packager goofed. Though I certainly see your point, especially for extremely large pacakges, like games with huge globs of data (i.e. wesnoth), etc.
Another aspect, at least I use these *.specs for: I use them as a "sneak-preview" to decide on whether I would want to get involved into a review or if I would prefer to abstain from it.
Ralf
"NM" == Nicolas Mailhot nicolas.mailhot@laposte.net writes:
NM> This is one test I never do, nothing will stop the packager from NM> changing the packaged archive as soon as the review is finished, so NM> the whole thing is a major waste of time for everyone involved IMHO
Perhaps I'd consider agreeing if doing the comparison hadn't turned up real issues. Perhaps you haven't done sufficient reviews to come across a case like that, but I have.
- J<
Le Mer 14 octobre 2009 19:55, Jason L Tibbitts III a écrit :
"NM" == Nicolas Mailhot nicolas.mailhot@laposte.net writes:
NM> This is one test I never do, nothing will stop the packager from NM> changing the packaged archive as soon as the review is finished, so NM> the whole thing is a major waste of time for everyone involved IMHO
Perhaps I'd consider agreeing if doing the comparison hadn't turned up real issues. Perhaps you haven't done sufficient reviews to come across a case like that, but I have.
This is something for the BADURL script or autoqa, IMHO. The ROI on doing it manually, and only on the initial submission, is pretty low.
"NM" == Nicolas Mailhot nicolas.mailhot@laposte.net writes:
NM> This is something for the BADURL script or autoqa, IMHO. The ROI on NM> doing it manually, and only on the initial submission, is pretty NM> low.
Well, so far I've caught many, many instances of improper URLs, several cases where the packager had modified the tarball and not realized that was problematic, and a few instances where the tarball needed to be modified but the packager hadn't documented the reasons or the necessary changes in accordance with our guidelines. All of those are things that need to be done in review, before the import, because the point is to actually check the packages before they're imported to guard against errors where the packager simply isn't aware of the proper way to do things. Letting crap get in and then mailbombing the packager with autoqa mail (which doesn't even exist at this point) isn't friendly to either the packager or the distribution.
But of course we have no QA on actual package reviews, so I guess you're welcome to simply skip the step, or pretty much do whatever you want. And in any case, it's only a few keystrokes to run this after unpacking the srpm:
#!/bin/sh mkdir source cd source spectool -g ../*spec for i in *; do sha256sum $i sha256sum ../$i done
and only a further few seconds to look at the output, so the investment is rather low regardless of what you think the return is.
- J<
Le Mer 14 octobre 2009 20:56, Jason L Tibbitts III a écrit :
"NM" == Nicolas Mailhot nicolas.mailhot@laposte.net writes:
NM> This is something for the BADURL script or autoqa, IMHO. The ROI on NM> doing it manually, and only on the initial submission, is pretty NM> low.
Well, so far I've caught many, many instances of improper URLs, several cases where the packager had modified the tarball and not realized that was problematic, and a few instances where the tarball needed to be modified but the packager hadn't documented the reasons or the necessary changes in accordance with our guidelines.
So what? It's a check tha
Le Mer 14 octobre 2009 20:56, Jason L Tibbitts III a écrit :
"NM" == Nicolas Mailhot nicolas.mailhot@laposte.net writes:
NM> This is something for the BADURL script or autoqa, IMHO. The ROI on NM> doing it manually, and only on the initial submission, is pretty NM> low.
Well, so far I've caught many, many instances of improper URLs, several cases where the packager had modified the tarball and not realized that was problematic, and a few instances where the tarball needed to be modified but the packager hadn't documented the reasons or the necessary changes in accordance with our guidelines. All of those are things that need to be done in review, before the import, because the point is to actually check the packages before they're imported to guard against errors where the packager simply isn't aware of the proper way to do things.
I'm sure I don't need to remind you that last time I asked to add something to the checklist FPC/FESCO argued is was too long already and even if there were many many cases where it caused problems later on it was not worth listing it explicitely. The checksum test is clearly in the same category (and even less worth it because it's already checked automatically).
Letting crap get in and then mailbombing the packager with autoqa mail (which doesn't even exist at this point) isn't friendly to either the packager or the distribution.
Well I'm afraid I've now spent quite a long time writing a mailbomber, because I was told the checklist is of-limits for rules that only catch marginal problems. I really do not see what makes the checksum test any more special or useful.
Am Dienstag, den 13.10.2009, 08:36 +0530 schrieb Parag N(पराग़):
Hi all, I want to know that is there really any compulsion on posting md5sum instead sha1sum? Review Guidelines said "Reviewers should use md5sum for this task." I have started posting sha1sum for source in package review.
As mentioned in your review: IMO it doesn't make a difference, but it must be obvious to other people what you used.
Regards, Parag.
Regards, Christoph
Hi,
On Wed, Oct 14, 2009 at 6:35 AM, Christoph Wickert christoph.wickert@googlemail.com wrote:
Am Dienstag, den 13.10.2009, 08:36 +0530 schrieb Parag N(पराग़):
Hi all, I want to know that is there really any compulsion on posting md5sum instead sha1sum? Review Guidelines said "Reviewers should use md5sum for this task." I have started posting sha1sum for source in package review.
As mentioned in your review: IMO it doesn't make a difference, but it must be obvious to other people what you used.
Thanks. I will mention that I am using sha1sum.
Regards, Parag.
Regards, Christoph
-- Fedora-packaging mailing list Fedora-packaging@redhat.com https://www.redhat.com/mailman/listinfo/fedora-packaging
packaging@lists.fedoraproject.org