Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 04 Oct 2013 13:12:33 -0700
From:      "Ronald F. Guilmette" <rfg@tristatelogic.com>
To:        Ruslan Makhmatkhanov <cvs-src@yandex.ru>
Cc:        rm@FreeBSD.org, freebsd-ports@freebsd.org
Subject:   Re: Port build failure -- security/hydra
Message-ID:  <92711.1380917553@server1.tristatelogic.com>
In-Reply-To: <524F179D.8030603@yandex.ru>

next in thread | previous in thread | raw e-mail | index | archive | help

Oh geeezzzzzzz!  Things are even more screwed up with the hydra port
that I thought!

I mentioned in my prior e-mail that the size of the hydra-7.5.tar.gz
file being reported by essentially all of the mirrors that are coded
into the current hydra port is in fact 681552... *not* 681784 bytes,
which is apparently what the port is expecting and demanding.

However it appears that there is *one* and *only one* source for
the hydra-7.5.tar.gz distribution file where the size of the file
*is* in fact 681784 bytes, and that is:

   https://www.thc.org/releases/hydra-7.5.tar.gz

but this is the site that apparently has its SSL certificates screwed up!

Geeeezzzz!  How worrisome is it to be fetching a piece of "security"
software from a site that can't even manage to get its own SSL certs
set up or maintained properly??

How worrisome is it to be doing that when *every* other copy of the
relevant source tarball *everywhere* else on the net has a different
size??

OK, so being curious, I got *both* one of the 681552 sized copies
of this file and also one of the 681784 sized copies, and I unpacked
them both and ran "diff -rc2".  The results are attached below.
Clearly, the bizzare and unexpected size differences are *not* due
to any any sneeky corruption of the source tarball.  However it is
equally apparent that _somebody_ has been fiddling with the contents
of the source tarball *without* bothering to change the version number
on that.

(I don't generally believe in castration as a punishment for crimes
against humanity, but I make an exception in such cases, because there
is no excuse for this kind of shoddy workmanship.  Even if the only
change is a single comma, different versions need different numbers.)

So, um, will the real hydra-7.5.tar.gz file please stand up?


============================================================================
diff -rc2 tmp0/hydra-7.5/LICENSE tmp1/hydra-7.5/LICENSE
*** tmp0/hydra-7.5/LICENSE	2013-08-02 04:35:56.000000000 -0700
--- tmp1/hydra-7.5/LICENSE	2013-08-06 07:42:44.000000000 -0700
***************
*** 1,2 ****
--- 1,7 ----
+ [see the end of the file for the special exception for linking with OpenSSL
+  - debian people need this]
+ 
+ 
+ 
                      GNU AFFERO GENERAL PUBLIC LICENSE
                         Version 3, 19 November 2007
***************
*** 660,661 ****
--- 665,683 ----
  For more information on this, and how to apply and follow the GNU AGPL, see
  <http://www.gnu.org/licenses/>.
+ 
+ 
+ Special Exception
+ 
+  * In addition, as a special exception, the copyright holders give
+  * permission to link the code of portions of this program with the
+  * OpenSSL library under certain conditions as described in each
+  * individual source file, and distribute linked combinations
+  * including the two.
+  * You must obey the GNU Affero General Public License in all respects
+  * for all of the code used other than OpenSSL.  If you modify
+  * file(s) with this exception, you may extend this exception to your
+  * version of the file(s), but you are not obligated to do so.  If you
+  * do not wish to do so, delete this exception statement from your
+  * version.  If you delete this exception statement from all source
+  * files in the program, then also delete it here.
+ 
diff -rc2 tmp0/hydra-7.5/hydra.1 tmp1/hydra-7.5/hydra.1
*** tmp0/hydra-7.5/hydra.1	2013-08-02 04:35:56.000000000 -0700
--- tmp1/hydra-7.5/hydra.1	2013-08-06 00:27:33.000000000 -0700
***************
*** 94,98 ****
  defines the max wait time in seconds for responses (default: 32)
  .TP
! .B \-w TIME
  defines a wait time between each connection a task performs. This usually
  only makes sense if a low task number is used, .e.g \-t 1
--- 94,98 ----
  defines the max wait time in seconds for responses (default: 32)
  .TP
! .B \-W TIME
  defines a wait time between each connection a task performs. This usually
  only makes sense if a low task number is used, .e.g \-t 1
Files tmp0/hydra-7.5.tar.gz and tmp1/hydra-7.5.tar.gz differ



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?92711.1380917553>