Module file parse API
Chris Hegarty
chris.hegarty at oracle.com
Thu Jun 21 08:25:23 PDT 2012
On 21/06/2012 15:44, Alan Bateman wrote:
> On 21/06/2012 15:11, Sean Mullan wrote:
>> :
>>
>> I've been a little bothered by the fact that the hashes aren't
>> reusable when generating the signatures, and maybe there is a better
>> design, but if nobody else is concerned for now, I'm ok with it.
> I agree with your previous comments that the current hash isn't
> providing any real security, but it does help with basic integrity, say
> where it gets corrupted during transfer ("corrupted" might something
> like legacy ftp transfer in ascii rather than binary mode for example).
> As I understand it, the rational for per-section hashes was to provid
> this basic integrity check when streaming. In any case, it might worth
> looking briefly at other formats as this is now a new problem. Debian
> packages usually include a MD5 control file for example.
To the best of my knowledge deb files are not streamable. You need the
complete archive before you can extract the control information.
The archive itself contains the md5 sums to verify the integrity of the
extracted contents, rather than the archive itself. I'm not sure if
there is a way to verify the integrity of the actual archive, or maybe
this is just a function of whether the archive actually extracts or not.
-Chris.
>
> -Alan
More information about the jigsaw-dev
mailing list