Date: Wed, 14 Mar 2001 11:26:51 +0200 From: Peter Pentchev <roam@orbitel.bg> To: freebsd-arch@FreeBSD.ORG Subject: Re: [PATCH] add a SITE MD5 command to ftpd Message-ID: <20010314112651.C23104@ringworld.oblivion.bg> In-Reply-To: <20010314012132.A91957@dragon.nuxi.com>; from TrimYourCc@NUXI.com on Wed, Mar 14, 2001 at 01:21:33AM -0800 References: <20010313211544.B17733@ringworld.oblivion.bg> <200103140459.VAA03061@usr05.primenet.com> <20010314084651.A23104@ringworld.oblivion.bg> <20010314012132.A91957@dragon.nuxi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 14, 2001 at 01:21:33AM -0800, David O'Brien wrote: > On Wed, Mar 14, 2001 at 08:46:51AM +0200, Peter Pentchev wrote: > > > > I know that adding a ``SITE MD5 filename'' command to our ftpd > > > > is a *very* little step in a possibly wrong direction (this will > ..snip.. > > This is NOT meant as a replacement for the local security check > > that is there for a very good reason. It is only meant to > > provide some kind of an 'early warning' in those rare, but VERY > > annoying cases when the distributors reroll the dist tarballs > > without a version number bumping. If the distributor wants to > > fool the FreeBSD Ports collection by using an ftpd that pretends > > to support this, yet does not, then we're absolutely no worse > > than we are now - the notification for changed checksums only > > comes when somebody tries to build the port and ends up sending > > a PR instead. > > Perhaps you should fill in the details then. First you say > "SITE MD5 filename" will keep us from having to download a binary to > check it. Then that the check will not really be used for anything. > So _exactly_ how do you propose this feature to be used? Only by the > fenner script? If so, I think we can provide suffient bandwidth for that > w/o this "feature". > > How will a site that pretends to have this capability yet does not; not > make things worse than today? The only way for that to be the case is > for nothing/one to trust the result of "SITE MD5 filename" for *any* > purpose. If that is the case, why have the "feature"? Yes, this is only intended for fenner-like scripts, with the added benefit that a server-side MD5 checksum calculation would give individual port maintainers the ability to easily check their own ports often. G'luck, Peter -- Do you think anybody has ever had *precisely this thought* before? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010314112651.C23104>