[pacman-dev] [PATCH] pacman-optimize: standardize on openssl usage, only touch local/

Dan McGee dan at archlinux.org
Thu Mar 8 18:19:39 EST 2012

The rest of our scripts have been using `openssl dgst` rather than tools
like `md5sum` for some time, so convert this one too. We also make the
following other adjustments:

* Use a `find -print0 | xargs -0` pipeline so paths with spaces and or
  newlines don't totally kill us.
* Ensure the files we write out contain only paths relative to the
  database root, where we know the filenames should all be sane.
* Remove use of `diff`, this was the only time we used it in scripts and
  we can get a cheap substitute by comparing file checksums instead.
* Only touch the local/ part of the database. It makes little sense to
  do anything to the sync/ directory anymore as they are compressed
  single files that should be regularly written out in full and won't be
  fragmented on any sane filesystem.

Signed-off-by: Dan McGee <dan at archlinux.org>
 scripts/pacman-optimize.sh.in |   45 +++++++++++++++++++++--------------------
 1 file changed, 23 insertions(+), 22 deletions(-)

diff --git a/scripts/pacman-optimize.sh.in b/scripts/pacman-optimize.sh.in
index d80435c..4a84c0b 100644
--- a/scripts/pacman-optimize.sh.in
+++ b/scripts/pacman-optimize.sh.in
@@ -88,9 +88,8 @@ if [[ -n $1 ]]; then
-# make sure diff is installed
-if ! type diff >/dev/null 2>&1; then
-	die "$(gettext "diff tool was not found, please install diffutils.")"
+if ! type -p openssl >/dev/null; then
+	die "$(gettext "Cannot find the %s binary required for verifying integrity.")" "openssl"
 if [[ ! -d $dbroot || ! -d $dbroot/local ]]; then
@@ -103,8 +102,8 @@ fi
 # strip any trailing slash from our dbroot
-# form the path to our lockfile location
 # make sure pacman isn't running
 if [[ -f $lockfile ]]; then
@@ -118,37 +117,39 @@ workdir=$(mktemp -d "${TMPDIR:-/tmp}/pacman-optimize.XXXXXXXXXX") ||
 # step 1: sum the old db
 msg "$(gettext "MD5sum'ing the old database...")"
-find "$dbroot" -type f | sort | xargs md5sum > "$workdir/pacsums.old"
+(cd "$localdb" && find . -type f -print0 | \
+	xargs -0 openssl dgst -md5 | sort > "$workdir/pacsums.old")
 # step 2: tar it up
-msg "$(gettext "Tar'ing up %s...")" "$dbroot"
-bsdtar -czf "$workdir/pacman-db.tar.gz" -C "$dbroot" ./
+msg "$(gettext "Tar'ing up %s...")" "$localdb"
+bsdtar -czf "$workdir/pacman-db.tar.gz" -C "$localdb" ./
 if (( $? )); then
 	rm -rf "$workdir"
-	die_r "$(gettext "Tar'ing up %s failed.")" "$dbroot"
+	die_r "$(gettext "Tar'ing up %s failed.")" "$localdb"
 # step 3: make and sum the new db side-by-side with the old
 msg "$(gettext "Making and MD5sum'ing the new database...")"
-mkdir "$dbroot.new"
-bsdtar -xpf "$workdir/pacman-db.tar.gz" -C "$dbroot.new"
+mkdir "$localdb.new"
+bsdtar -xpf "$workdir/pacman-db.tar.gz" -C "$localdb.new"
 if (( $? )); then
        rm -rf "$workdir"
-       die_r "$(gettext "Untar'ing %s failed.")" "$dbroot"
+       die_r "$(gettext "Untar'ing %s failed.")" "$localdb"
 # immediate sync following extraction should get it written continuously on HDD
 msg "$(gettext "Syncing database to disk...")"
-find "$dbroot.new" -type f | sort | \
-		xargs md5sum | sed 's#.new##' > "$workdir/pacsums.new"
+(cd "$localdb.new" && find . -type f -print0 | \
+	xargs -0 openssl dgst -md5 | sort > "$workdir/pacsums.new")
 # step 4: compare the sums
 msg "$(gettext "Checking integrity...")"
-diff "$workdir/pacsums.old" "$workdir/pacsums.new" >/dev/null 2>&1
-if (( $? )); then
+read -ra old_dgst < <(openssl dgst -md5 < "$workdir/pacsums.old")
+read -ra new_dgst < <(openssl dgst -md5 < "$workdir/pacsums.new")
+if [[ ${old_dgst[@]:(-1)} != ${new_dgst[@]:(-1)} ]]; then
 	# failed
 	# leave our pacman-optimize tmpdir for checking to see what doesn't match up
-	rm -rf "$dbroot.new"
+	rm -rf "$localdb.new"
 	die_r "$(gettext "Integrity check FAILED, reverting to old database.")"
@@ -156,15 +157,15 @@ fi
 msg "$(gettext "Rotating database into place...")"
-mv "$dbroot" "$dbroot.old" || fail=1
-mv "$dbroot.new" "$dbroot" || fail=1
-chmod --reference="$dbroot.old" "$dbroot" || fail=1
-chown --reference="$dbroot.old" "$dbroot" || fail=1
+mv "$localdb" "$localdb.old" || fail=1
+mv "$localdb.new" "$localdb" || fail=1
+chmod --reference="$localdb.old" "$localdb" || fail=1
+chown --reference="$localdb.old" "$localdb" || fail=1
 if (( fail )); then
 	# failure with our directory shuffle
-	die_r "$(gettext "New database substitution failed. Check for $dbroot,\n$dbroot.old, and $dbroot.new directories.")"
+	die_r "$(gettext "New database substitution failed. Check for %s, %s, and %s directories.")" "$localdb" "$localdb.old" "$localdb.new"
-rm -rf "$dbroot.old"
+rm -rf "$localdb.old"
 # remove the lock file and our working directory with sums and tarfile
 rm -f "$lockfile"

More information about the pacman-dev mailing list