X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=FYoidvOa+M/1k6JY qQrXxMInLf9xa2MIWnNGpX5rC5XpQ8Ab+WMRUVsYXE2/tBxarLQlTt0PJc9oCCNW oOONkM3GB+sWzWc3/A59ce00ocxdamipPOcJYUYX2LMF9rmySpxA9IP4IzPVDuF3 OqND7o87wimmV2T6KAZ3ROwmtyM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; s=default; bh=xXWbwxK4Dbh0dJfWbHxHOj 7/Xz8=; b=UuNqWx75Ke16/MVkIqNJ/mbsQ2TWcxNPOhMN2vhvJRSqFJAxhxOptq jq51Fur1aviByOSele+dZQtmlJsUJQzZCe7nSyq8af3RQD38XuK3TZdqmleBlzBI BvMtjy7eIC/+LOtdVC2qVNwdxwf3SVaQh6UrOIvLkFmg3MGY4xeII= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=1.3 required=5.0 tests=AWL,BAYES_50,EXECUTABLE_URI,KAM_EXEURI autolearn=no version=3.3.2 X-HELO: EXE01-WPP.cisra.canon.com.au Message-ID: <54D93708.7070404@cisra.canon.com.au> Date: Tue, 10 Feb 2015 09:39:04 +1100 From: Luke Kendall User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: CC: audit Subject: Re: Updated: setup.exe (Release 2.867) References: <20150205180713 DOT GZ2635 AT calimero DOT vinschen DOT de> <54D4216D DOT 5050509 AT cisra DOT canon DOT com DOT au> <20150206102304 DOT GD2635 AT calimero DOT vinschen DOT de> In-Reply-To: <20150206102304.GD2635@calimero.vinschen.de> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes On 06/02/15 21:23, Corinna Vinschen wrote: > On Feb 6 13:05, Luke Kendall wrote: >> On 06/02/15 05:07, Corinna Vinschen wrote: >>> Hi folks, >>> >>> A new version of Setup, release 2.867, has been uploaded to >>> >>> https://cygwin.com/setup-x86.exe (32 bit version) >>> https://cygwin.com/setup-x86_64.exe (64 bit version) >>> >>> The changes compared to 2.864 are mostly not visible: >>> >>> - There's one fix to the output when mistyping a command line option. >>> >>> - More importantly, Setup now understands SHA512 checksums additionally >>> to MD5 checksums. We're going to switch to using SHA512 checksums in >>> the setup.ini files in a couple of weeks and this requires all of you >>> to use the newer Setup version. >>> >>> >>> Please send bug reports, as usual, to the public mailing list >>> cygwin AT cygwin DOT com. >>> >>> >>> Have fun, >>> Corinna >>> >> >> I was just wondering, will you be dropping the md5.sum files from the >> package directories at the same time? > > The md5.sum files are created for all ftp dirs on sourceware.org, not > only for the Cygwin dirs. Right now we still need the md5.sum files > to support people who haven't upgraded setup yet. If the files get > removed (not created anymore) at one point is up to the overseers crew. > >> Just this week I >> noticed that cygwin64-gcc-4.8.3-4-src.tar.xz's md5 checksum in its md5.sum >> file was incorrect (but its md5 in setup.ini was of course correct). > > "Of course"? In fact upset (the script creating the setup.ini files) > reads the content of md5.sum and uses the checksums in there if > available to create the setup.ini entry. It only computes its own > checksum if the md5.sum file is missing the info. So, afaics, in border > cases in which a file gets replaced, there is a chance that the > setup.ini checksum is incorrect as well. In theory that's not supposed > to happen because replacing a distro package should always include > bumping the subversion, thus creating a new file and just removing the > old one. Hmm, that's interesting. I based what I said on my experience; I've tried to work out how it fits together by looking at the files we get via rsyncing from mirrors. It's not like I've read some reference that describes the Cygwin packaging and release process and procedures (I have a feeling that such a reference would be setup.exe's source code, by I may also be quite mistaken about that). But the mismatches have been so common, and persisted so long, that I (perhaps wrongly) came to the conclusion that relying on the md5.sum file was bad, simply because in all the mismatches I've seen over the last several months (I'm guessing something like six), setup.ini has been correct and the package md5.sum has been wrong; and the error has persisted for many, many days. I suppose another possibility is that we *think* we're rsyncing nightly, and we're not, and it's only the automated consistency check that's really running each night! I'll check into that possibility. luke > Corinna > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple