Date: Mon, 22 Sep 2008 22:33:25 +0200 From: Max Laier <max@love2party.net> To: freebsd-current@freebsd.org Cc: freebsd-hackers@freebsd.org Subject: cosum: Checkout verification PoC Message-ID: <200809222233.26053.max@love2party.net>
next in thread | raw e-mail | index | archive | help
--Boundary-00=_WEA2ISSM6C76Uw/ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi, the attached script will generate md5 and sha256 checksums of a checkout and try to find the corresponding svn-revision. This can help to verify that your checkout from cvsupX.yy.freebsd.org is authentic. Not that there is reason to believe that we have compromised cvsup-servers. This is just something I've been toying with and wanted to let you know to see if people find the idea interesting. I'd also be interested in reviews of the concept (note that I know that https would be a good idea, I just cba to setup a certificate). The coverage currently is head and stable/{6,7} svn revision 179451:183186 (i.e. since the first svn commit up to "2008-09-19 16:51:41 +0200". I don't yet have a cronjob in place to generate new checksums, so this will become less useful quick. If people do find it interesting, however, I could certainly roll something. As you can see, the script is ready to checksum cvs and svn checkouts. If you obtain your checkout from some local git/hg/svk/... mirror you must modify the find excludes accordingly. Let me know what you think. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-00=_WEA2ISSM6C76Uw/ Content-Type: text/plain; charset="us-ascii"; name="cosum" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="cosum" #!/bin/sh BASEURL="http://laiers.net/cosum/data/md5" tempfoo=`basename $0` TMPFILE=`mktemp -t ${tempfoo}` || exit 1 MD5SUM=`find -s . -type f -not -path "*/.svn/*" -not -path "*/CVS/*" \ -exec cat {} + | md5` SHA256SUM=`find -s . -type f -not -path "*/.svn/*" -not -path "*/CVS/*" \ -exec cat {} + | sha256` MD5DIR=`echo ${MD5SUM} | cut -c 1-2` if ! fetch -o ${TMPFILE} ${BASEURL}/${MD5DIR}/${MD5SUM} ; then echo "No corresponding md5sum found, try again in a bit" >&2 exit 1 fi ORIG_MD5SUM=`cat ${TMPFILE} | grep ^md5 | cut -d":" -f 2` ORIG_SHA256SUM=`cat ${TMPFILE} | grep ^sha256 | cut -d":" -f 2` if [ "${MD5SUM}" != "${ORIG_MD5SUM}" ]; then echo "md5 mismatch - something went terribly wrong!" >&2 exit 1 fi if [ "${SHA256SUM}" != "${ORIG_SHA256SUM}" ]; then echo "sha256 mismatch, but same md5 - please report this!" >&2 cat ${TMPFILE} exit 1 fi echo "Your checkout seems to be:" cat ${TMPFILE} --Boundary-00=_WEA2ISSM6C76Uw/--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809222233.26053.max>