[pca] how to verify md5(from CHECKSUMS file) of patches downloaded

Michele Vecchiato michele.vecchiato at gmail.com
Mon Dec 20 18:49:56 CET 2010 

Il giorno gio, 16/12/2010 alle 09.52 +0100, Martin Paul ha scritto: 
> A (low) level of protection against corruption is that PCA checks whether unzip 
> can extract the file successfully. No idea against how much corruption this 
> protects, but it's better than nothing.
Ok! Thanks for the clarification 
> 
> > Now where am I wrong? Because i don't understand that there are over
> > 2130 patches in my cache pca-proxy server, of 145 can not find the MD5
> > file checksums, and 10 have a different MD5 (patch corrupted) from that
> > contained in the file CHECKSUMS.
> 
> I have run the same test. Of 4387 patch zip files on my proxy 161 are missing in 
> the CHECKSUMS file and 1662 (!) have a different checksum.
> 
> The reaons (or at least one reason) for differing checksums is that Sun/Oracle 
> sometimes changes a patch zip file's contents after first publishing, like 
> updating README files. As far as I know any functional change would trigger a 
> new revision.
> 
I too had a suspicion ... Question for Oracle/Sun: Why not update the
file CHECKSUMS when it changes to patches? Would sweep away all
doubt ... 
> An example:
> 
> > 127127-11.zip MD5 form CHECKSUMS file: c2bf6c07976f113148a0f75a762f2140
> > from verify: a1ce22de9e3fe544d7cffc2de4070a0c
> 
> On my proxy this file has d232b08f4cee8f0507bf720edacc1016 and is from "Apr 25 
> 2008". A fresh download of the file from Oracle is from "Aug 20  2009". 
> Comparing the contents I see that LEGAL_LICENSE.TXT and README.127127-11 are 
> different.
> 
> Now why the checksum in the CHECKSUM doesn't match the file currently available 
> on Oracle's server - no idea.
Don(O'Malley) and Mike(Brown) are listening ... Please can you give us
an answer or an explanation... 
> 
> IMHO, Oracle should include the MD5 checksums into patchdiag.xref. Then it would 
> be easy for a tool like PCA to verify the checksum after download. It could also 
> check whether an already existing ZIP file matches the checksum in the xref file 
> and force a download if not, to ensure that you always get the most recent copy.
> 
It would be ideal if Oracle/Sun could add a field to file patchdiag.xref
with the checksums patch... We would have solved the problem ... I
understand that the file "patchdiag.xref" is updated more frequently
than file "CHECKSUMS" 
> I'm pretty sure that Oracle won't listen, though.
Why should not listen to us ;-) 
In the end we customers pay a support contract to download patches ...
They should give me the chance to see if I download the patches (with
PCA or otherwise) are corrupt or not ...
In addition, the "CHECKSUMS" and "patchdiag.xref" are also used by
employees Oracle/Sun and partners for content in the EIS-DVD  (into
"/sun/patch/etc/" directory of any first EIS-DVDs) 
> And I'm definitely not keen to 
> add a comparable feature to PCA based on the current contents of the CHECKSUMS 
> file. I would end up having to verify manually all those discrepancies to see 
> what's wrong.
> 
> Martin.
Thanks Martin for the quick response and the availability and infinite
patience to devote to this project. I take this opportunity to get you
the best wishes for a Merry Christmas and happy new year.

Michele Vecchiato

-- 
Blog:  http://michelevecchiato.wordpress.com

More information about the pca mailing list