Bug 169607
Summary: | RPM should verify that packages are undamaged before attempting the transaction | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nicholas Miell <nmiell> |
Component: | rpm | Assignee: | Paul Nasrat <nobody+pnasrat> |
Status: | CLOSED WONTFIX | QA Contact: | Mike McLean <mikem> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-04-22 13:38:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Nicholas Miell
2005-09-30 07:27:24 UTC
rpm will check the header+payload md5 sum if configured to do so, configuration is even mode specifix, so that install/eras/freshen checks but query does not. rpm -K *.rpm will always check the header+payload md5 any time you want as well. This should be on by default for all modes that deal with .rpm files. There is no way to simultaneously please users who wish fast and users who wish safe in one default configuration. Configure rpm to your needs. By default, RPM should be configured for "safe", not "it's fast, but it'll randomly break your system." That's your opinion. Other opinions are possible. No matter what, there can be onl;y one default configuration. The default configuration is wrong. It should not be possible for a system administrator to damage the system just by attempting a package install. And as much as it's nice for volunteers to help out with Fedora bug triage, I'd really appreciate it if you'd stop messing with this bug until an actual Red Hat employee and/or RPM developer gets involved. I am the maintainer of rpm. It's not going to be fixed in upstream rpm. Period. But feel free to shop an answer from Red Hat. Have fun! NEEDINFO_ENG for Red Hat answer shopping ... I just stumbled on this too, I must agree with Nicholas Miell that a fast-and-flaky default seems like an unusually bad idea. That said I don't blame the rpm-maintainer since the funtionality is there but not used... NEEDINFO_ENG has been deprecated in favor of NEEDINFO or ASSIGNED. Changing status to ASSIGNED for ENG review. Verifying header+payload contents using a md5 digest when reading a package is a configurable option in rpm using rpmtsVSFlags() through rpmReadPackageFile(). So the setting is application and site specific. The default value of the behavior is off because the additional benefit of detecting an occaisional faulty download is less than the additional cost of computing the digest. The choice of default is consistent with current applications that use rpmlib. Change the application behavior, and I'll change rpm's default setting. |