From owner-freebsd-ports@FreeBSD.ORG Tue Jun 18 08:07:52 2013 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 5F58D3B3 for ; Tue, 18 Jun 2013 08:07:52 +0000 (UTC) (envelope-from matthew@freebsd.org) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id EA31C137C for ; Tue, 18 Jun 2013 08:07:51 +0000 (UTC) Received: from rufus.webfusion.com (mail.heartinternet.co.uk [79.170.40.31]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.7/8.14.7) with ESMTP id r5I87TVf017178 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 18 Jun 2013 09:07:37 +0100 (BST) (envelope-from matthew@freebsd.org) DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk r5I87TVf017178 Authentication-Results: smtp.infracaninophile.co.uk/r5I87TVf017178; dkim=none reason="no signature"; dkim-adsp=none (unprotected policy) X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host mail.heartinternet.co.uk [79.170.40.31] claimed to be rufus.webfusion.com Message-ID: <51C01540.4030009@freebsd.org> Date: Tue, 18 Jun 2013 09:07:28 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130614 Thunderbird/17.0.6 MIME-Version: 1.0 To: freebsd-ports@freebsd.org Subject: Re: distfile fetching vs ISP "site-help" spoofing: any suggestions? References: <20130618050713.GA27806@johnny.reilly.home> In-Reply-To: <20130618050713.GA27806@johnny.reilly.home> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.8 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.9 required=5.0 tests=AWL, BAYES_00 autolearn=failed version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2013 08:07:52 -0000 On 18/06/2013 06:07, Andrew Reilly wrote: > I've just tried to portupgrade after a three-month hiatus and noticed a problem with the libgcrypt distfile > checksum that didn't go away after my usual strategy of waiting for a couple of days, > re-syncing the ports tree and trying again. Closer inspection and a hint from a google search > revealed that the first-level problem is that the wrong file had been fetched: it was a short > HTML file, rather than the expected tar.bz2 file. How did that happen? Apparently my ISP > (Bigpond, in Australia) has recently turned on a "site-helper" mechanism that spoofs any site > for which a DNS-lookup fails. That is, there are now no "missing" or expired sites. In this > case, the first item in the ports/Mk/bsd.sites.mk list used by the security/libgcrypt Makefile > is gnupg.org.favoritelinks.net which does not (any longer?) resolve. Your ISP is screwing you over. Complain, loudly. Vote with your feet. There was a big to-do about this sort of behaviour around the BIND community a few years ago, and the overwhelming consensus was that not returning NXDOMAIN for a non-existent domain was simply wrong and an evil plot to monetize people's inaccurate typing. > I've arranged to proceed by deleting the line in bsd.sites.mk, which allowed the fetch to > succeed. This seems a bit lame though, because perhaps that site will come back one day. > Seems like a fragile, non-scaling approach. > > It might be possible to subvert my ISP's evil helpfulness by pointing my DNS requests further > upstream, but that might prevent the government from blocking my access to things it considers > distasteful, and I'm not sure I want to go there just yet. Run your own recursive resolver instance. The default config for named in base is set up for this: pretty much all you need to do is turn on named and modify /etc/resolv.conf to say 'localhost' for your nameserver. Or use the Google nameservers -- 8.8.8.8 and 8.8.4.4 > Anyone have any suggestions or best practices? > > Should I try to raise a PR against bsd.sites.mk or security/libgcrypt? No, don't do that. There's nothing wrong with bsd.sites.mk. The problem here is local to your site / ISP, and that's where you should look for a solution. Cheers, Matthew