About changing md5sum's
Jerry Lundström
prox at lunar-linux.org
Thu May 13 09:33:36 GMT 2004
Hi ppl,
This may sound very paranoid but please, when packages change md5sum and
they DON'T change version, please read thru all the change.
As the example shows below it takes the recent changed module doxygen,
Im not blaming you in anyway cmak but if you had looked at the diff youd
see that it was very wrongly packaged. The included several generated
files that should be generated on doing make. And since they just added
them without doing a version update that can mean code
insertion/exploits. This is why we have md5sum, to tell us that
something is wrong. We need to get better at this since we are a
source-based dist.
Unpack the package we had before into one dir maybe called module.orig,
then unpack the new into module and do:
diff -urN module.orig module | less
This will give you a list of all change, for ppl that dont know diff its
pritty easy.
A diff starts with the diff command it self, for example:
diff -urN doxygen-1.3.7.orig/INSTALL doxygen-1.3.7/INSTALL
then we have the + - header of the file with dates etc etc:
--- doxygen-1.3.7.orig/INSTALL 2004-05-08 04:40:07.000000000 +0200
+++ doxygen-1.3.7/INSTALL 2004-05-08 10:56:47.000000000 +0200
after that we have the change in the file, all change starts with a
index line:
@@ -4,4 +4,4 @@
and then the change, first char is either a space, + or -. Space is no
change, + adds that line and - removes it:
(http://www.doxygen.org/install.html) for instructions.
--------
-Dimitri van Heesch (07 May 2004)
+Dimitri van Heesch (08 May 2004)
Thats all folks, be safe and secure!
More information about the Lunar-dev
mailing list