rpm5 package verification and md5sum of config files

Adam Osuchowski adwol at zonk.pl
Tue Oct 16 00:47:57 CEST 2012


Jeffrey Johnson wrote:
> FYI: the --nomd5 option changed to --nofdigests like 4-5y ago.
> If there is still "legacy compatibility" for --nomd5, then its time
> to rip it out imho: I see no reason to maintain myriad
> confusing alternative invocations for changes made years ago.

What's the difference... With --nofdigests bahaviour is the same.

> What are you showing me?

I'm showing you invalid output of rpm. Tell me sincerely, is it normal
that rpm with option --nomd5/--nofdigests shows that ALL files in
package are modified even though they aren't?

> I can't tell what rpm version, and
> I have no comparison to be able to tell what you consider
> a "bug" from the above display. I have no idea what/how
> rpm is patched in PLD, assuming that is the OS being used.

I wrote version I checked in my first mail, but I can repeat:
rpm-5.4.10-18 from PLD distro (I report it on pld-devel mailing list,
so it should be obvious). Anyway, it doesn't matter because vanilla
rpm5 behaves in the same way.

> I also cannot tell what the output SHOULD look like
> without knowing more details.

Run rpm4 and you can see it yourself. Hint: there should be empty
output, because no files were modified, so `rpm -V' should print
nothing.

BTW, why there is no information in documentation about --nohmacs
option which tell rpm to not show this faked information?

> You are entirely entitled to hold whatever point of view and
> opinion you wish.

Should I understand you think that situation I report is quite normal
and rpm5 will always show that md5 digest of file is changed even if
content is not modified? Interesting...

> But if you are seriously interested in a change in RPM, then post
> a bug (launchpad/rpm preferred) with sufficient information to analyze,
> not just POV/opinion.

I don't have time and don't feel like creating launchpad account, so
I report here.

The problem is: rpm5 keeps md5 digests of files in its database, but
when veryfing files marked in specfile like this (in PLD most of config
files have this mark):

    %verify(not md5)

it compares these md5 digests with hmac-md5 of current files on disk
what of course leads to differences (rpmvfVerify() in lib/verify.c:265).
Changing this to:

    %verify(not hmac)

helps, but I think it is not good solution. Rather, there should be
consistency in digest types (plain vs. hmac): since md5 digests are
stored in database, -V should check md5 not hmac-md5. So, I propose
change like in my mail attachment (btw, I really don't have any idea
what this line is for).

Make what do you want with this knowledge. I only would like rpm5 works
not worse than rpm4 and I hope you now understand where the problem lies.
-------------- next part --------------
--- rpm-5.4.10.orig/build/files.c	2012-10-15 23:29:13.601832730 +0200
+++ rpm-5.4.10/build/files.c	2012-10-15 23:29:50.264308164 +0200
@@ -393,7 +393,6 @@
 		if (strcmp(p, vfa->attribute))
 		    /*@innercontinue@*/ continue;
 		verifyFlags |= vfa->flag;
-		    verifyFlags &= ~RPMVERIFY_FDIGEST;
 		/*@innerbreak@*/ break;
 	    }
 	    if (vfa->attribute)


More information about the pld-devel-en mailing list