[pca] how to verify md5(from CHECKSUMS file) of patches downloaded
Martin Paul
martin at par.univie.ac.at
Thu Dec 16 09:52:06 CET 2010
Michele Vecchiato wrote:
> Ok, I'm a paranoid person ;-), but how does pca to verify that the patch
> downloaded from Oracle site is not corrupt?
Simple answer - it doesn't. I have made experiments with JAR patches in the past
(which are cryptographically signed), but the procedures to verify the
signatures weren't stable enough to integrate them into PCA.
A (low) level of protection against corruption is that PCA checks whether unzip
can extract the file successfully. No idea against how much corruption this
protects, but it's better than nothing.
> Now where am I wrong? Because i don't understand that there are over
> 2130 patches in my cache pca-proxy server, of 145 can not find the MD5
> file checksums, and 10 have a different MD5 (patch corrupted) from that
> contained in the file CHECKSUMS.
I have run the same test. Of 4387 patch zip files on my proxy 161 are missing in
the CHECKSUMS file and 1662 (!) have a different checksum.
The reaons (or at least one reason) for differing checksums is that Sun/Oracle
sometimes changes a patch zip file's contents after first publishing, like
updating README files. As far as I know any functional change would trigger a
new revision.
An example:
> 127127-11.zip MD5 form CHECKSUMS file: c2bf6c07976f113148a0f75a762f2140
> from verify: a1ce22de9e3fe544d7cffc2de4070a0c
On my proxy this file has d232b08f4cee8f0507bf720edacc1016 and is from "Apr 25
2008". A fresh download of the file from Oracle is from "Aug 20 2009".
Comparing the contents I see that LEGAL_LICENSE.TXT and README.127127-11 are
different.
Now why the checksum in the CHECKSUM doesn't match the file currently available
on Oracle's server - no idea.
IMHO, Oracle should include the MD5 checksums into patchdiag.xref. Then it would
be easy for a tool like PCA to verify the checksum after download. It could also
check whether an already existing ZIP file matches the checksum in the xref file
and force a download if not, to ensure that you always get the most recent copy.
I'm pretty sure that Oracle won't listen, though. And I'm definitely not keen to
add a comparable feature to PCA based on the current contents of the CHECKSUMS
file. I would end up having to verify manually all those discrepancies to see
what's wrong.
Martin.
More information about the pca
mailing list