727387 – "ISO" checksum files should specify sizes as well to allow recovering checksummed files from burned optical discs

Bug 727387 - "ISO" checksum files should specify sizes as well to allow recovering checksummed files from burned optical discs

Summary: "ISO" checksum files should specify sizes as well to allow recovering checksu...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pungi
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lubomír Sedlář
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-08-02 02:25 UTC by Andre Robatino
Modified:	2017-03-28 00:24 UTC (History)
CC List:	6 users (show)
Fixed In Version:	pungi-4.1.13-1.fc25
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-28 00:24:06 UTC
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Andre Robatino 2011-08-02 02:25:01 UTC

Description of problem:

To read an image file off a burned optical disc, one needs to know the file size. If the image file is an ISO 9660-compliant ISO file, this can be determined from the Volume Space Size in the ISO header. However, some Fedora image files are not, and the size is larger than that indicated by the Volume Space Size, for example live images and some recent netinst images (and in the case of 16-Alpha.TC1, even the x86_64 DVD image) - see bug 585006. In fact, according to https://bugzilla.redhat.com/show_bug.cgi?id=585006#c89 , the padding may soon be arbitrary data and not simply zeroes, making it impossible to deduce.

The size of an image may be time-consuming or even impossible to find online (not all Fedora images are archived). Also, being able to do an external verification of a burned disc's checksum is important for the following reasons:

1) The disc's built-in mediacheck may either not exist (for example the F15 netinst images) or may not work (for example bug 692135).

2) If one gets a burned disc from someone else, to verify that the disc isn't evil they need to match the disc contents to the official checksum.

So I propose that for each "ISO" checksum line, adding a comment line giving the size in bytes, for example

# Fedora-16-Alpha.TC1-x86_64-DVD.iso: 3589275648 bytes
7feefb939232512fe74dc8adb5aaf197988b99315d357037ca287fc1ea10e29c *Fedora-16-Alpha.TC1-x86_64-DVD.iso

Comment 1 Andre Robatino 2011-08-04 14:19:51 UTC

Another reason for considering this - not a matter of necessity, but still - one of the most common forms of download corruption is simple truncation, and when downloading with a browser (Firefox, at least) as opposed to something like wget, you can't see the target file's exact size in bytes.

Comment 2 Radek Vykydal 2011-08-09 15:30:05 UTC

Are you talking about sha256 sums in *-CHECKSUM lines? These are created by sha256sum called by pungi, not by isomd5sum. If I understand it correctly the primary purpose of md5sum implanted in DVDs is to check the integrity of actual physical medium (not of the iso image - for security purposes there is the sha256 sum)

Comment 3 Andre Robatino 2011-08-09 15:58:17 UTC

I don't understand your question. I'm proposing that the content of the Fedora-*-*-CHECKSUM file be modified by inserting a comment  containing the size for each ISO file, as shown in my example in comment 0, so for example instead of

# The image checksum(s) are generated with sha256sum.
cebebc227314457d0a584252ab1b6cc5744d400bb376d8b4855107be29e19865 *Fedora-16-Alpha-i386-DVD.iso
6c406b07b6a51e9c5f4308708a12375edc30b74cdd81b6119afa5b79755bcc12 *Fedora-16-Alpha-i386-netinst.iso

the checksum file would be

# The image checksum(s) are generated with sha256sum.
# Fedora-16-Alpha-i386-DVD.iso: 3438059520 bytes
cebebc227314457d0a584252ab1b6cc5744d400bb376d8b4855107be29e19865 *Fedora-16-Alpha-i386-DVD.iso
# Fedora-16-Alpha-i386-netinst.iso: 132194304 bytes
6c406b07b6a51e9c5f4308708a12375edc30b74cdd81b6119afa5b79755bcc12 *Fedora-16-Alpha-i386-netinst.iso

I don't know what software would be responsible for creating the extra comment lines (I originally assigned this bug to "distribution" and it was reassigned).

Comment 4 Jesse Keating 2011-08-09 16:52:26 UTC

Pungi runs that for the traditional install media.  It is ran by hand for the live images.

Patches welcome at this point.

Comment 5 Andre Robatino 2011-08-12 01:57:30 UTC

I don't know Python, but it looks like the checksum lines are created by pungi-2.9/src/pypungi/__init__.py, line 978:

checkfile.write("%s *%s\n" % (checksum.replace('sha256:', ''), os.path.basename(path)))

So one could put one line before this to generate the byte size comment line. But since the checksum files are currently made by hand for live images, would it make sense to just use a little script run inside the ISO directory and call it for both install and live images, for example

#!/bin/sh
echo \# The image checksum\(s\) are generated with sha256sum.
for i in *.iso ; do
  echo \# "$i" : `stat -c %s "$i"` bytes
  sha256sum -b "$i"
done

instead of doing it inside pungi? (Of course the script that calls this would have to redirect to the correct file name.)

Comment 6 Fedora Admin XMLRPC Client 2012-02-10 18:58:49 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 7 Fedora End Of Life 2013-04-03 14:31:22 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Comment 8 Fedora End Of Life 2015-01-09 16:44:18 UTC

This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 9 Fedora Update System 2017-03-06 10:15:54 UTC

pungi-4.1.13-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-803e6bacb4

Comment 10 Fedora Update System 2017-03-07 01:49:55 UTC

pungi-4.1.13-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-803e6bacb4

Comment 11 Fedora Update System 2017-03-28 00:24:06 UTC

pungi-4.1.13-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.