Updated: setup.exe (Release 2.867)

Luke Kendall luke.kendall@cisra.canon.com.au
Mon Feb 9 22:39:00 GMT 2015

On 06/02/15 21:23, Corinna Vinschen wrote:
 > On Feb  6 13:05, Luke Kendall wrote:
 >> On 06/02/15 05:07, Corinna Vinschen wrote:
 >>> Hi folks,
 >>> A new version of Setup, release 2.867, has been uploaded to
 >>>    https://cygwin.com/setup-x86.exe     (32 bit version)
 >>>    https://cygwin.com/setup-x86_64.exe  (64 bit version)
 >>> The changes compared to 2.864 are mostly not visible:
 >>> - There's one fix to the output when mistyping a command line option.
 >>> - More importantly, Setup now understands SHA512 checksums additionally
 >>>    to MD5 checksums.  We're going to switch to using SHA512 
checksums in
 >>>    the setup.ini files in a couple of weeks and this requires all 
of you
 >>>    to use the newer Setup version.
 >>> Please send bug reports, as usual, to the public mailing list
 >>> cygwin AT cygwin DOT com.
 >>> Have fun,
 >>> Corinna
 >> I was just wondering, will you be dropping the md5.sum files from the
 >> package directories at the same time?
 > The md5.sum files are created for all ftp dirs on sourceware.org, not
 > only for the Cygwin dirs.  Right now we still need the md5.sum files
 > to support people who haven't upgraded setup yet.  If the files get
 > removed (not created anymore) at one point is up to the overseers crew.
 >>    Just this week I
 >> noticed that cygwin64-gcc-4.8.3-4-src.tar.xz's md5 checksum in its 
 >> file was incorrect (but its md5 in setup.ini was of course correct).
 > "Of course"?  In fact upset (the script creating the setup.ini files)
 > reads the content of md5.sum and uses the checksums in there if
 > available to create the setup.ini entry.  It only computes its own
 > checksum if the md5.sum file is missing the info.  So, afaics, in border
 > cases in which a file gets replaced, there is a chance that the
 > setup.ini checksum is incorrect as well.  In theory that's not supposed
 > to happen because replacing a distro package should always include
 > bumping the subversion, thus creating a new file and just removing the
 > old one.

Hmm, that's interesting.

I based what I said on my experience; I've tried to work out how it fits 
together by looking at the files we get via rsyncing from mirrors.  It's 
not like I've read some reference that describes the Cygwin packaging 
and release process and procedures (I have a feeling that such a 
reference would be setup.exe's source code, by I may also be quite 
mistaken about that).

But the mismatches have been so common, and persisted so long, that I 
(perhaps wrongly) came to the conclusion that relying on the md5.sum 
file was bad, simply because in all the mismatches I've seen over the 
last several months (I'm guessing something like six), setup.ini has 
been correct and the package md5.sum has been wrong; and the error has 
persisted for many, many days.

I suppose another possibility is that we *think* we're rsyncing nightly, 
and we're not, and it's only the automated consistency check that's 
really running each night!  I'll check into that possibility.


 > Corinna

Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list