duplicity-talk
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] Incremental backup when data changes but timestamp

From: Nate Eldredge
Subject: Re: [Duplicity-talk] Incremental backup when data changes but timestamp does not
Date: Sun, 14 May 2023 11:28:14 -0600 (MDT) 
On Sun, 14 May 2023, Kenneth Loafman via Duplicity-talk wrote:


Nate,

I agree with @ede on this one.  It's too much of an edge case to mess
with.  Why someone would put out a different package with files of the same
name, size, and mtime smells of malware to me. I'd be suspicious of the
package and not even try to back it up.  What is it from / for?
Sure. Fetch and unpack the following two deb packages using `dpkg-deb -x`. They are official Ubuntu main packages for 22.10 and 23.04 respectively, and they passed all the usual apt hash/signature verifications, so should be legit. 

https://mirrors.kernel.org/ubuntu/pool/main/m/mysql-8.0/mysql-client-core-8.0_8.0.33-0ubuntu0.22.10.1_amd64.deb
https://mirrors.kernel.org/ubuntu/pool/main/m/mysql-8.0/mysql-client-core-8.0_8.0.33-0ubuntu0.23.04.1_amd64.deb

After unpacking you can ls --full-time and see:

-rwxr-xr-x 1 nate nate 6961336 2023-04-21 08:17:04.000000000 -0600 
./22.10/usr/bin/mysql
-rwxr-xr-x 1 nate nate 6961336 2023-04-21 08:17:04.000000000 -0600 
./23.04/usr/bin/mysql

But their md5sums:

ea523ffa72478689e44eecf820639f97  ./22.10/usr/bin/mysql
29a317295fdd63836d05a3440c4fe0e6  ./23.04/usr/bin/mysql
The package maintainer probably fired off builds of mysql-8.0_8.0.33-0ubuntu0 for all current Ubuntu versions in parallel, and so it's not surprising that by luck, the corresponding mysql binaries got built within the same second. It's also not surprising that differing compiler and library versions would result in the files being different but having the same size (things like code/data alignment would hide adding or removing a byte here or there).
So, this will bite everyone like me who had mysql-client-core-8.0 installed on an Ubuntu 22.10 system, which they then upgraded via the normal do-release-upgrade to 23.04. Nothing unusual at all. 

In fact, duplicity's own packages come very close to the same issue: fetch

https://code.launchpad.net/~duplicity-team/+archive/ubuntu/duplicity-release-git/+files/duplicity_1.2.3-ppa202305091626~ubuntu22.10.1_amd64.deb
https://code.launchpad.net/~duplicity-team/+archive/ubuntu/duplicity-release-git/+files/duplicity_1.2.3-ppa202305091626~ubuntu23.04.1_amd64.deb

and notice:

-rw-r--r-- 1 nate nate 276 2023-05-09 10:34:42.000000000 -0600 
./dup22.10/usr/share/doc/duplicity/changelog.Debian.gz
-rw-r--r-- 1 nate nate 274 2023-05-09 10:34:41.000000000 -0600 
./dup23.04/usr/share/doc/duplicity/changelog.Debian.gz
If your computer were just a little faster, and your gzip compression just a little luckier, they could easily both have coincided. 

--
Nate Eldredge
nate@thatsmathematics.com
reply via email to
[Prev in Thread] Current Thread [Next in Thread]