From owner-freebsd-ports@FreeBSD.ORG  Fri Apr 12 11:49:28 2013
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 191FFB5D
 for <freebsd-ports@freebsd.org>; Fri, 12 Apr 2013 11:49:28 +0000 (UTC)
 (envelope-from freebsd-ports-local@be-well.ilk.org)
Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173])
 by mx1.freebsd.org (Postfix) with ESMTP id E93B81D6
 for <freebsd-ports@freebsd.org>; Fri, 12 Apr 2013 11:49:27 +0000 (UTC)
Received: from lowell-desk.lan (lowell-desk.lan [172.30.250.41])
 by be-well.ilk.org (Postfix) with ESMTP id 8645A33C2A
 for <freebsd-ports@freebsd.org>; Fri, 12 Apr 2013 07:49:22 -0400 (EDT)
Received: by lowell-desk.lan (Postfix, from userid 1147)
 id 4BA9D39860; Fri, 12 Apr 2013 07:49:20 -0400 (EDT)
From: Lowell Gilbert <freebsd-ports-local@be-well.ilk.org>
To: freebsd-ports@freebsd.org
Subject: Re: FTP packages missing CHECKSUM.MD5
References: <CAD2Ti28GKA1QGOyGwdz5OxJCG1zC8w4=WzOL1cp+qbr7YjxkUQ@mail.gmail.com>
Date: Fri, 12 Apr 2013 07:49:20 -0400
In-Reply-To: <CAD2Ti28GKA1QGOyGwdz5OxJCG1zC8w4=WzOL1cp+qbr7YjxkUQ@mail.gmail.com>
 (grarpamp@gmail.com's message of "Thu, 11 Apr 2013 14:15:50 -0400")
Message-ID: <44ehegarzz.fsf@lowell-desk.lan>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2013 11:49:28 -0000

grarpamp <grarpamp@gmail.com> writes:

> Noticed that at least ports/i386/packages-9-stable is missing
> its CHECKSUM.MD5 file.
>
> Of course people shouldn't use it for what they think it's for,
> because it's not signed and uses a broken hash function.
> Hopefully that will be updated to signed sha1/256/3 before long.

It was intended as a defense against accidental file corruption, not
malicious file corruption. For a variety of reasons, this is much less
of a problem that it used to be, but I wouldn't assume that it's
irrelevant to everyone.

Secure checksums for protection against malicious modifications is a
different problem, and should be handled with more-automatic means, much
as portsnap does.

> However it does make for a good 'TIMESTAMP' file to detect when
> new packages appear. Ftp's internal or external 'ls -tT' can't be counted
> on for this across mirrors because such options to ls are mirror dependant.
> And there's no simple way to locally sort the ftp list output by date
> without rigging in perl, etc. And an overwrite of the same file may not
> stamp the parent directory, which also doesn't appear reliably '.' while
> in the current directory.
>
> In short, I'd suggest making a formal TIMESTAMP file for when package
> updates are pushed out so people can key off that instead.

Pretty easy and cheap. Makes sense as well.