rpm5 package verification and md5sum of config files

Jeffrey Johnson n3npq at me.com
Tue Oct 16 01:23:27 CEST 2012 

On Oct 15, 2012, at 6:47 PM, Adam Osuchowski <adwol at zonk.pl> wrote:

> Jeffrey Johnson wrote:
>> FYI: the --nomd5 option changed to --nofdigests like 4-5y ago.
>> If there is still "legacy compatibility" for --nomd5, then its time
>> to rip it out imho: I see no reason to maintain myriad
>> confusing alternative invocations for changes made years ago.
> 
> What's the difference... With --nofdigests bahaviour is the same.
> 

Good: so the "legacy retrofit" is identical.

>> What are you showing me?
> 
> I'm showing you invalid output of rpm. Tell me sincerely, is it normal
> that rpm with option --nomd5/--nofdigests shows that ALL files in
> package are modified even though they aren't?
> 

Good: so rpm5 output (quite broken, non-intentional).

E.g. the '5' is being reported on directories in the wget
package: there is no intent to verify content digests on
directories in RPM *EVER*.

Translatiuon: something is seriously FUBR and WORKSFORME.

>> I can't tell what rpm version, and
>> I have no comparison to be able to tell what you consider
>> a "bug" from the above display. I have no idea what/how
>> rpm is patched in PLD, assuming that is the OS being used.
> 
> I wrote version I checked in my first mail, but I can repeat:
> rpm-5.4.10-18 from PLD distro (I report it on pld-devel mailing list,
> so it should be obvious). Anyway, it doesn't matter because vanilla
> rpm5 behaves in the same way.
> 

I use rpm5, but I have no idea what "features" are enabled,
nor what patches are applied, nor do I use PLD daily.

IMHO, something is seriously screwed, nothing whatsoever to do
with POV or opinion or @rpm.org !- @rpm5.org (contrary to your
report).

>> I also cannot tell what the output SHOULD look like
>> without knowing more details.
> 
> Run rpm4 and you can see it yourself. Hint: there should be empty
> output, because no files were modified, so `rpm -V' should print
> nothing.
> 

WTF should I run rpm-4.5.x for? This is a PLD problem, not anything
iontended. If you give me enough details, I'll sort the issue for you. Meanwhile I don't use PLD/rpm-4.5/wget(as built by PLD) at all.

> BTW, why there is no information in documentation about --nohmacs
> option which tell rpm to not show this faked information?
> 

*shrug* I f you want to use HMAC's (PLD is still using MD5),
then you need to talk to me. WORKSFORME (but what I do with RPM has
almost nothing to do with what you do with RPM)

>> You are entirely entitled to hold whatever point of view and
>> opinion you wish.
> 
> Should I understand you think that situation I report is quite normal
> and rpm5 will always show that md5 digest of file is changed even if
> content is not modified? Interesting…
> 

No: displaying '5' on directories is totally broken and I have no
idea why.


>> But if you are seriously interested in a change in RPM, then post
>> a bug (launchpad/rpm preferred) with sufficient information to analyze,
>> not just POV/opinion.
> 
> I don't have time and don't feel like creating launchpad account, so
> I report here.
> 

*me too* 

> The problem is: rpm5 keeps md5 digests of files in its database, but
> when veryfing files marked in specfile like this (in PLD most of config
> files have this mark):
> 
>    %verify(not md5)
> 
> it compares these md5 digests with hmac-md5 of current files on disk
> what of course leads to differences (rpmvfVerify() in lib/verify.c:265).
> Changing this to:
> 
>    %verify(not hmac)
> 
> helps, but I think it is not good solution. Rather, there should be
> consistency in digest types (plain vs. hmac): since md5 digests are
> stored in database, -V should check md5 not hmac-md5. So, I propose
> change like in my mail attachment (btw, I really don't have any idea
> what this line is for).
> 

Are you trying to use HMAC's? Where did HMAC-MD5 come from (it wasn't in the original report).

> Make what do you want with this knowledge. I only would like rpm5 works
> not worse than rpm4 and I hope you now understand where the problem lies.

I need sufficient details to sort your problem: after that I don't really
whether you thing the problem is a difference between
	rpm-4.5 != rpm-5.4.10
or not.

IMHO you have a bug, not anything else.

73 de Jeff

More information about the pld-devel-en mailing list