Date: Wed, 25 Jan 2006 20:35:48 -0500 From: Kris Kennaway <kris@obsecurity.org> To: Peter Jeremy <PeterJeremy@optushome.com.au> Cc: cvs-ports@freebsd.org, ports-committers@freebsd.org, Edwin Groothuis <edwin@freebsd.org>, cvs-all@freebsd.org, Kris Kennaway <kris@obsecurity.org> Subject: Re: cvs commit: ports/Tools/scripts distinfochecker Message-ID: <20060126013548.GC57519@xor.obsecurity.org> In-Reply-To: <20060126012822.GM25397@cirb503493.alcatel.com.au> References: <200601242153.k0OLrpJQ065888@repoman.freebsd.org> <20060125233838.GA50579@xor.obsecurity.org> <20060126012822.GM25397@cirb503493.alcatel.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
--lMM8JwqTlfDpEaS6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Jan 26, 2006 at 12:28:22PM +1100, Peter Jeremy wrote:
> On Wed, 2006-Jan-25 18:38:40 -0500, Kris Kennaway wrote:
> >AFAIK duplicate checksums are OK - they are useful if e.g. mirrors
> >have different versions of the distfile that are functionally
> >identical. Duplicate SIZE causes errors though (arguably a bug).
>=20
> Different, but functionally identical, versions of a distfile are
> highly likely to also have different sizes. If you're going to allow
> different checksums, you need to allow for different sizes as well.
Yeah, currently you'd have to drop the size checking (which is mostly
just an optimization to avoid downloading changed/corrupted versions).
> Doing this without opening potential security holes means changing the
> distfiles entries to be tuples of {filename,size,md5,shd-256} (where
> anything except the filename is optional). A downloaded file would
> have to completely match one of the tuples for it to be acceptable.
>=20
> How many cases are there where there are multiple, equivalent,
> versions of distfiles on the net?
A distfile somewhere in the ports collection changes checksum about
once a week or so. I don't have data on how often the above situation
(different versions on different sites) occurs, but it must occur
occasionally when the software mirror sites are not quick to update.
Kris
--lMM8JwqTlfDpEaS6
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFD2Cd0Wry0BWjoQKURAgDXAKDwgX4ahJtFVitqGsbUTm810PR1wwCg8BII
Pe0nMC3IDZZfwu+M+HT7u5g=
=v7nZ
-----END PGP SIGNATURE-----
--lMM8JwqTlfDpEaS6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060126013548.GC57519>