[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] wrong MD5 sum in advisory SUSE-SA:2006:009



On Tue, Feb 28, 2006 at 06:58:02PM +0100, Malte Gell wrote:
> On Tuesday 28 February 2006 15:19, Marcus Meissner wrote:
> > On Mon, Feb 27, 2006 at 11:30:38PM +0100, Malte Gell wrote:
> 
> > > ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gpg-1.4.2-5.2.
> > >src.rpm
> > > is wrong, on my machine I get
> > > fe3233bc0b60f6fa67ac6f062af2c793.
> > > But the rpm seems to be signed correctly with the package key
> > > 0x9c800aca
> 
> > This is a problem of the MD5 generation in the advisory tool, not a
> > problem.
> 
> > The cause is that we have multiple SRPMs for the 10.0 distribution,
> > but only one gets copied to the ftp tree (because it is shared for
> > i386,x86_64,ppc and ppc64).
> 
> Thanx for the explanation. But, just out of curiosity, if you can offer 
> one single src.rpm for 3 platforms, why do you need multiple src.rpms 
> internally at Novell/SUSE?

They are generated during RPM build. Currently we have 3 trees
active for 10.0 that provide gpg packages, the i386, x86_64 and ppc trees.

RPMs from all of them are merged for updates to result in 1 update repository,
so 3 gpg SRPMs are merged into one. Due to different build times they have
different md5s.

(Internally we store our sources not as SRPMs, but in an unpacked way nearly
identical to the SOURCES/ and SPECS/ directory.)

Ciao, Marcus

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here