From owner-freebsd-arch Wed Mar 14 1:27:34 2001 Delivered-To: freebsd-arch@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 2CDD937B718 for ; Wed, 14 Mar 2001 01:27:31 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 77477 invoked by uid 1000); 14 Mar 2001 09:26:51 -0000 Date: Wed, 14 Mar 2001 11:26:51 +0200 From: Peter Pentchev To: freebsd-arch@FreeBSD.ORG Subject: Re: [PATCH] add a SITE MD5 command to ftpd Message-ID: <20010314112651.C23104@ringworld.oblivion.bg> Mail-Followup-To: freebsd-arch@FreeBSD.ORG References: <20010313211544.B17733@ringworld.oblivion.bg> <200103140459.VAA03061@usr05.primenet.com> <20010314084651.A23104@ringworld.oblivion.bg> <20010314012132.A91957@dragon.nuxi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010314012132.A91957@dragon.nuxi.com>; from TrimYourCc@NUXI.com on Wed, Mar 14, 2001 at 01:21:33AM -0800 Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Mar 14, 2001 at 01:21:33AM -0800, David O'Brien wrote: > On Wed, Mar 14, 2001 at 08:46:51AM +0200, Peter Pentchev wrote: > > > > I know that adding a ``SITE MD5 filename'' command to our ftpd > > > > is a *very* little step in a possibly wrong direction (this will > ..snip.. > > This is NOT meant as a replacement for the local security check > > that is there for a very good reason. It is only meant to > > provide some kind of an 'early warning' in those rare, but VERY > > annoying cases when the distributors reroll the dist tarballs > > without a version number bumping. If the distributor wants to > > fool the FreeBSD Ports collection by using an ftpd that pretends > > to support this, yet does not, then we're absolutely no worse > > than we are now - the notification for changed checksums only > > comes when somebody tries to build the port and ends up sending > > a PR instead. > > Perhaps you should fill in the details then. First you say > "SITE MD5 filename" will keep us from having to download a binary to > check it. Then that the check will not really be used for anything. > So _exactly_ how do you propose this feature to be used? Only by the > fenner script? If so, I think we can provide suffient bandwidth for that > w/o this "feature". > > How will a site that pretends to have this capability yet does not; not > make things worse than today? The only way for that to be the case is > for nothing/one to trust the result of "SITE MD5 filename" for *any* > purpose. If that is the case, why have the "feature"? Yes, this is only intended for fenner-like scripts, with the added benefit that a server-side MD5 checksum calculation would give individual port maintainers the ability to easily check their own ports often. G'luck, Peter -- Do you think anybody has ever had *precisely this thought* before? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message