[Bug 875466] [NEW] Lots of packages shipping with broken md5sums

Jürgen Kreileder jk at blackdown.de
Sun Oct 16 03:52:37 UTC 2011 

Public bug reported:

This problem is easily noticeable on oneiric if you install the debsums
package and run 'debsums -s'

On a server system with only very small set of packages installed, I see broken md5sums for these packages:
% sudo debsums -s
debsums: changed file /usr/share/doc/libaprutil1-dbd-sqlite3/changelog.Debian.gz (from libaprutil1-dbd-sqlite3 package)
debsums: changed file /usr/share/doc/libaprutil1-ldap/changelog.Debian.gz (from libaprutil1-ldap package)
debsums: changed file /usr/share/doc/libxcb-render0/changelog.Debian.gz (from libxcb-render0 package)
debsums: changed file /usr/share/doc/libxcb-shm0/changelog.Debian.gz (from libxcb-shm0 package)
debsums: changed file /usr/share/doc/perl/changelog.Debian.gz (from perl-base package)
debsums: changed file /usr/share/doc/racoon/changelog.Debian.gz (from racoon package)

On a desktop system you'll see a *lot* more problems.  See here for
example: http://ubuntuforums.org/showthread.php?t=1859706  (report from
another person who noticed the same problem)


Some of the wrong checksums are probably caused by including checksums for symlinked files from other packages into md5sums.
Example:

% ls -l /usr/share/doc/libxcb-shm0/changelog.Debian.gz
lrwxrwxrwx 1 root root 30 2011-10-14 21:45 /usr/share/doc/libxcb-shm0/changelog.Debian.gz -> ../libxcb1/changelog.Debian.gz
% aptitude download libxcb-render0
Get: 1 http://archive.ubuntu.com/ubuntu/ oneiric/main libxcb-render0 amd64 1.7-3 [11.9 kB]
Fetched 11.9 kB in 0s (146 kB/s)       
% dpkg -x libxcb-render0_1.7-3_amd64.deb .
% dpkg -e libxcb-render0_1.7-3_amd64.deb 
% grep changelog.Debian.gz DEBIAN/md5sums 
15276f194d3ca77e0c9682105f2f004c  usr/share/doc/libxcb-render0/changelog.Debian.gz
% md5sum usr/share/doc/libxcb-render0/changelog.Debian.gz
md5sum: usr/share/doc/libxcb-render0/changelog.Debian.gz: No such file or directory
% ls -l usr/share/doc/libxcb-render0/changelog.Debian.gz
lrwxrwxrwx 1 jk jk 30 2011-06-11 01:23 usr/share/doc/libxcb-render0/changelog.Debian.gz -> ../libxcb1/changelog.Debian.gz


But there are also packages that actually have wrong md5sums for files included in the package. 
Example:

% aptitude download perl-base
Get: 1 http://archive.ubuntu.com/ubuntu/ oneiric/main perl-base amd64 5.12.4-4 [1,430 kB]
Fetched 1,430 kB in 0s (2,440 kB/s)   
% dpkg -x perl-base_5.12.4-4_amd64.deb .
% dpkg -e perl-base_5.12.4-4_amd64.deb
% grep changelog.Debian.gz DEBIAN/md5sums 
b060dab6fca4e84eceacdefb619fa79b  usr/share/doc/perl/changelog.Debian.gz
% md5sum usr/share/doc/perl/changelog.Debian.gz
ec4b1914bcbe7a3143e0b16f81b9a329  usr/share/doc/perl/changelog.Debian.gz

Both of this cases should be fixed.

** Affects: dpkg (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/875466

Title:
  Lots of packages shipping with broken md5sums

Status in “dpkg” package in Ubuntu:
  New

Bug description:
  This problem is easily noticeable on oneiric if you install the
  debsums package and run 'debsums -s'

  On a server system with only very small set of packages installed, I see broken md5sums for these packages:
  % sudo debsums -s
  debsums: changed file /usr/share/doc/libaprutil1-dbd-sqlite3/changelog.Debian.gz (from libaprutil1-dbd-sqlite3 package)
  debsums: changed file /usr/share/doc/libaprutil1-ldap/changelog.Debian.gz (from libaprutil1-ldap package)
  debsums: changed file /usr/share/doc/libxcb-render0/changelog.Debian.gz (from libxcb-render0 package)
  debsums: changed file /usr/share/doc/libxcb-shm0/changelog.Debian.gz (from libxcb-shm0 package)
  debsums: changed file /usr/share/doc/perl/changelog.Debian.gz (from perl-base package)
  debsums: changed file /usr/share/doc/racoon/changelog.Debian.gz (from racoon package)

  On a desktop system you'll see a *lot* more problems.  See here for
  example: http://ubuntuforums.org/showthread.php?t=1859706  (report
  from another person who noticed the same problem)

  
  Some of the wrong checksums are probably caused by including checksums for symlinked files from other packages into md5sums.
  Example:

  % ls -l /usr/share/doc/libxcb-shm0/changelog.Debian.gz
  lrwxrwxrwx 1 root root 30 2011-10-14 21:45 /usr/share/doc/libxcb-shm0/changelog.Debian.gz -> ../libxcb1/changelog.Debian.gz
  % aptitude download libxcb-render0
  Get: 1 http://archive.ubuntu.com/ubuntu/ oneiric/main libxcb-render0 amd64 1.7-3 [11.9 kB]
  Fetched 11.9 kB in 0s (146 kB/s)       
  % dpkg -x libxcb-render0_1.7-3_amd64.deb .
  % dpkg -e libxcb-render0_1.7-3_amd64.deb 
  % grep changelog.Debian.gz DEBIAN/md5sums 
  15276f194d3ca77e0c9682105f2f004c  usr/share/doc/libxcb-render0/changelog.Debian.gz
  % md5sum usr/share/doc/libxcb-render0/changelog.Debian.gz
  md5sum: usr/share/doc/libxcb-render0/changelog.Debian.gz: No such file or directory
  % ls -l usr/share/doc/libxcb-render0/changelog.Debian.gz
  lrwxrwxrwx 1 jk jk 30 2011-06-11 01:23 usr/share/doc/libxcb-render0/changelog.Debian.gz -> ../libxcb1/changelog.Debian.gz

  
  But there are also packages that actually have wrong md5sums for files included in the package. 
  Example:

  % aptitude download perl-base
  Get: 1 http://archive.ubuntu.com/ubuntu/ oneiric/main perl-base amd64 5.12.4-4 [1,430 kB]
  Fetched 1,430 kB in 0s (2,440 kB/s)   
  % dpkg -x perl-base_5.12.4-4_amd64.deb .
  % dpkg -e perl-base_5.12.4-4_amd64.deb
  % grep changelog.Debian.gz DEBIAN/md5sums 
  b060dab6fca4e84eceacdefb619fa79b  usr/share/doc/perl/changelog.Debian.gz
  % md5sum usr/share/doc/perl/changelog.Debian.gz
  ec4b1914bcbe7a3143e0b16f81b9a329  usr/share/doc/perl/changelog.Debian.gz

  Both of this cases should be fixed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/875466/+subscriptions

More information about the foundations-bugs mailing list