From owner-freebsd-ports@FreeBSD.ORG  Sun Jan 28 03:18:33 2007
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
X-Original-To: ports@freebsd.org
Delivered-To: freebsd-ports@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 444DC16A401
	for <ports@freebsd.org>; Sun, 28 Jan 2007 03:18:33 +0000 (UTC)
	(envelope-from pauls@utdallas.edu)
Received: from mail.stovebolt.com (mail.stovebolt.com [66.221.101.249])
	by mx1.freebsd.org (Postfix) with ESMTP id F175C13C49D
	for <ports@freebsd.org>; Sun, 28 Jan 2007 03:18:32 +0000 (UTC)
	(envelope-from pauls@utdallas.edu)
Received: from [192.168.2.102] (adsl-65-69-141-175.dsl.rcsntx.swbell.net
	[65.69.141.175])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.stovebolt.com (Postfix) with ESMTP id E3380114307;
	Sat, 27 Jan 2007 21:11:00 -0600 (CST)
Date: Sat, 27 Jan 2007 21:18:29 -0600
From: Paul Schmehl <pauls@utdallas.edu>
To: "Freebsd Ports: Archivers" <ports@freebsd.org>, aquatique-ports@rambler.ru
Message-ID: <2A54A37FBF8B6E7EE4DEAA5F@paul-schmehls-powerbook59.local>
In-Reply-To: <20070128024514.GA79142@atarininja.org>
References: <3B27E5D772A78D81D72D9420@paul-schmehls-powerbook59.local>
	<20070128014441.GA76439@atarininja.org>
	<D2F9DABD9A545B74551F4D18@paul-schmehls-powerbook59.local>
	<20070128024514.GA79142@atarininja.org>
X-Mailer: Mulberry/4.0.7b1 (Mac OS X)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=sha1;
	protocol="application/pkcs7-signature";
	boundary="==========91DE01B72790A07D6CA8=========="
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: security@silcnet.org
Subject: Re: Problem with devel/silc-toolkit
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Jan 2007 03:18:33 -0000

--==========91DE01B72790A07D6CA8==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

--On January 27, 2007 9:45:14 PM -0500 Wesley Shields <wxs@atarininja.org> =

wrote:
>
> It passes the checksums for me:
>
> wxs@syn silc-toolkit > sudo make checksum
> =3D=3D=3D> Define WITHOUT_IPV6 to disable IPv6 support
> =3D=3D=3D> Define WITHOUT_OPTIMIZED_ASM to disable assembler =
optimizations
> =3D=3D=3D> Define WITH_PTHREADS to enable pthreads support
>
> =3D=3D=3D> Define WITH_OPTIMIZED_CFLAGS to enable compilation =
optimizations
> =3D=3D=3D> which is known to break some platforms (e.g., alpha)
> =3D=3D=3D>  Vulnerability check disabled, database not found
> =3D> silc-toolkit-1.0.2.tar.bz2 doesn't seem to exist in
> /usr/ports/distfiles/.
> =3D> Attempting to fetch from
> http://www.silcnet.org/download/toolkit/sources/.
> silc-toolkit-1.0.2.tar.bz2                    100% of 2485 kB  138 kBps
> 00m00s
> =3D> MD5 Checksum OK for silc-toolkit-1.0.2.tar.bz2.
> =3D> SHA256 Checksum OK for silc-toolkit-1.0.2.tar.bz2.
> wxs@syn silc-toolkit >
>
make checksum works here as well:
root@utd59514# make checksum
=3D=3D=3D> Define WITHOUT_IPV6 to disable IPv6 support
=3D=3D=3D> Define WITHOUT_OPTIMIZED_ASM to disable assembler optimizations
=3D=3D=3D> Define WITH_PTHREADS to enable pthreads support

=3D=3D=3D> Define WITH_OPTIMIZED_CFLAGS to enable compilation =
optimizations
=3D=3D=3D> which is known to break some platforms (e.g., alpha)
=3D> MD5 Checksum OK for silc-toolkit-1.0.2.tar.bz2.
=3D> SHA256 Checksum OK for silc-toolkit-1.0.2.tar.bz2.

I just downloaded it to my Mac here at home, and it doesn't pass the=20
checksum here either:
paul-schmehls-powerbook59:~/Desktop pauls$ md5sum=20
silc-toolkit-1.0.2.tar.bz2
5e80212669182d986957d6d6af724c8b  silc-toolkit-1.0.2.tar.bz2

<http://www.silcnet.org/download/toolkit/sources/silc-toolkit-1.0.2.tar.bz2=
.md5>
869ce01349444a28fbace3c1bfe745ff  silc-toolkit-1.0.2.tar.bz2

The md5sum of the file I just downloaded doesn't match what they have on=20
their website.

Can you post the contents of your distinfo file please?

cat distinfo
MD5 (silc-toolkit-1.0.2.tar.bz2) =3D 869ce01349444a28fbace3c1bfe745ff
SHA256 (silc-toolkit-1.0.2.tar.bz2) =3D=20
45b289f2c328378e5fbdfc394ff71cbb66ef7c4fdc882185dbeeb08b28d25c7a
SIZE (silc-toolkit-1.0.2.tar.bz2) =3D 2545183

The size of the file doesn't match the distinfo file *or* what they have=20
on their website:
ls -lsa silc-toolkit-1.0.2.tar.bz2
2944 -rw-r--r--   1 pauls  pauls  1505460 Jan 27 21:06=20
silc-toolkit-1.0.2.tar.bz2

<http://www.silcnet.org/software/download/toolkit/>
tar.bz2  	1.0.2  	2485 kB   	HTTP  	FTP  	MD5

Clearly, something is wrong.  I'm not saying that it's been compromised,=20
but we do md5 and sha256 checksums for a reason.

I do not think this is a local problem.

Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

--==========91DE01B72790A07D6CA8==========--