Message-ID: <4B86D30A.2020002@gmail.com>
Date: Thu, 25 Feb 2010 19:44:10 +0000
From: Dave Korn <dave DOT korn DOT cygwin AT googlemail DOT com>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Cygwin 1.7 deployment : disabling MD5 check?
References: <4B8693FA DOT 90009 AT univ-paris1 DOT fr>
In-Reply-To: <4B8693FA.90009@univ-paris1.fr>
Content-Type: multipart/mixed;  boundary="------------010306030801080905080407"
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com

--------------010306030801080905080407
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

On 25/02/2010 15:15, Nicolas Cuissard wrote:

> I'm on the edge of massively deploying Cygwin 1.7 from Cygwin 1.5 (+400
> workstations), and I'm concerned about the time setup.exe takes to
> verify MD5 packages signature.
> 
> When the repository is a remote SaMBa share, it looks that setup.exe
> download all packages one time to check the signature and another time
> to install the package.
> 
> Is there a possibly to disable this check? As a workaround, I can
> silently synchronize the repository on the local drive and launching the
> setup from there, but it's more complicated that using a single
> repository on the network.

  There's no command-line option for it - yet.  (And I'm not really sure if
there should be in general, either.  I'm already uncomfortable about the mere
existence of the -X option, but I had to be practical about it.)

  For situations like this, I'd recommend building and distributing internally
a custom version of setup.exe anyway, so that you can edit IDS_MIRROR_LST and
point it to your own internal mirror with its own mirrors.lst with just a
single entry pointing straight back at itself, and avoid any confused users
trying to install from an external mirror by accident.

  So if you're happy with hacking the code about, just delete all the contents
of the md5_one() function at the end of install.cc.  Or you could try the
attached patch if you want a command-line option for it.  Builds OK but not
tested yet.

  (Note that of course if you do this your users are vulnerable to tampering,
so make sure you have ACLs on the mirror well locked down, or otherwise that
the files are protected against tampering.  You are switching off security,
unbuckling all your seatbelts, and running headlong full tilt with scissors;
any resulting consequences are yours to enjoy!)

    cheers,
      DaveK


--------------010306030801080905080407
Content-Type: text/x-c;
 name="setup-no-md5sums-option.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="setup-no-md5sums-option.diff"

Index: install.cc
===================================================================
RCS file: /cvs/cygwin-apps/setup/install.cc,v
retrieving revision 2.94
diff -p -u -r2.94 install.cc
--- install.cc	28 Jan 2010 22:59:09 -0000	2.94
+++ install.cc	25 Feb 2010 19:22:04 -0000
@@ -76,6 +76,9 @@ static BoolOption NoReplaceOnReboot (fal
 				     "Disable replacing in-use files on next "
 				     "reboot.");
 
+static BoolOption NoMD5Sums (false, '5', "no-md5sums",
+	"Don't validate md5 checksums before installing packages");
+
 struct std_dirs_t {
   const char *name;
   mode_t mode;
@@ -713,6 +716,9 @@ do_install (HINSTANCE h, HWND owner)
 
 void md5_one (const packagesource& pkgsource)
 {
+  if (NoMD5Sums)
+    return;
+
   if (pkgsource.md5.isSet() && pkgsource.Cached ())
   {
     std::string fullname (pkgsource.Cached ());


--------------010306030801080905080407
Content-Type: text/plain; charset=us-ascii

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
--------------010306030801080905080407--