The situation I am facing: I set up a CentOS 5.9 machine that is supposed to be as close as possible a copy of another CentOS 5.9 machine, but not a clone. Using yum, I installed (as far as possible) all packages on the target machine that are also installed on the source machine (as reported by yum list installed and rpm -qa). Afterwards I used md5deep to find files that are still missing on the target machine. I found a lot more missing files than I expected and thereby discovered my current problem.
On both the target & source machines the package traceroute-3:2.0.1-6.el5.i386 is installed (says yum list installed). On both machines repoquery --info --show-duplicates traceroute lists only this version of the package and tells me that it can be found in the base-repository. On both machines rpm -ql traceroute-2.0.1-6.el5.i386 lists the same files. On both machines rpm -V traceroute-2.0.1-6.el5.i386 tells me that the installation went well (no files modified/missing). A quick look into traceroute-2.0.1-6.el5.i386.rpm shows only a binary file (/bin/traceroute), symlinks and documentation, so I don't expect compilation to take place when i install that package (but I'm not an RPM expert and it was only quick look, not a thorough examination). file /bin/traceroute tells me /bin/traceroute: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), stripped on both machines. /bin/traceroute has the same size on both machines.
And yet, when I execute md5sum /bin/traceroute on both machines, I get different results. xxd & diff show that several dozen bytes differ and the differences seem to be in the actual code (have not disassembled them yet, but the changed parts are not human readable strings). traceroute is just one random example, there are several dozen more differing files in /bin, /sbin & /lib.
Any idea what is going on? I was always under the impression that installing the same package twice would result in exactly the same files as long as compilation/editing was not part of the installation. At the least I was hoping that rpm -V would tell me about files that have been tampered with. It would help if yum had a facility to tell me from what repository it downloaded the RPM-file, but to the best of my knowledge this facility does not exist in my version of yum (3.2.22). To be clear: repoquery does not tell me what repository a package has been downloaded from, it only tells me where it is available. If the same package is available in 2 or more enabled repositories, repoquery lists all packages. Yum can decide which of the duplicates it wants and it does not seem to record this decision in any log files.
Best Answer
I've run in to this before on a RHEL distro. A smarter man than me identified the source of the behavior: prelink
To test it, run the following on both your systems which previously identified different hashes and compare the output.