From owner-freebsd-ports@FreeBSD.ORG Sun May 12 07:23:16 2013 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 20BC2EAC for ; Sun, 12 May 2013 07:23:16 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 96B4FE87 for ; Sun, 12 May 2013 07:23:15 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.7/8.14.7) with ESMTP id r4C7NBjo045423 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sun, 12 May 2013 08:23:11 +0100 (BST) (envelope-from matthew@FreeBSD.org) DKIM-Filter: OpenDKIM Filter v2.8.2 smtp.infracaninophile.co.uk r4C7NBjo045423 Authentication-Results: smtp.infracaninophile.co.uk/r4C7NBjo045423; dkim=none reason="no signature"; dkim-adsp=none (unprotected policy) Message-ID: <518F435F.70508@FreeBSD.org> Date: Sun, 12 May 2013 08:23:11 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: freebsd-ports@freebsd.org Subject: Re: security/libgcrypt checksum mismatch References: <201305111044.r4BAiMuH059762@mech-cluster241.men.bris.ac.uk> <20130511110107.GB94348@titania.njm.me.uk> <518E2913.5040402@hayers.org> <20130511115228.GC94348@titania.njm.me.uk> <20130511135946.GE94348@titania.njm.me.uk> <20130511173952.638bbe7b@bsd64.grem.de> <20130511221505.54aadc87@gumby.homeunix.com> <518F4095.7050509@FreeBSD.org> In-Reply-To: <518F4095.7050509@FreeBSD.org> X-Enigmail-Version: 1.5.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2AFQJFHFNKFLJQCBEPCQK" X-Virus-Scanned: clamav-milter 0.97.8 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00,SPF_SOFTFAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 May 2013 07:23:16 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2AFQJFHFNKFLJQCBEPCQK Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 12/05/2013 08:11, Matthew Seaman wrote: > On 11/05/2013 22:15, RW wrote: >> FWIW I fetch files like this: >> >> >> for porg in `pkg version -Iol'<' |awk '{ print $1 }'` ; do >> echo "Checking - ${porg}" >> cd /usr/ports/${porg}=20 >> make checksum || ( >> export RANDOMIZE_MASTER_SITES=3Dyes=20 >> make distclean >> make checksum >> )=20 >> done >> >> I do it that way because it avoids a lot of problems with rerolled >> files, but it would help with this problem too.=20 >=20 > I'm sorry, but this is a really bad idea and an irresponsible thing to > advise anyone else to do. You're throwing away all the security > benefits of using checksums, which are essentially that you can tell if= > anyone has tampered with the distfiles you intend to compile. >=20 > If you don't understand why that matters, then try reading this: >=20 > http://slashdot.org/comments.pl?sid=3D37188&cid=3D3991288 > http://www.mavetju.org/unix/openssh-trojan.php Damn. I'm sorry. I misread your code. It's perfectly fine. I apologise unreservedly for my earlier message. Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey ------enig2AFQJFHFNKFLJQCBEPCQK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGPQ18ACgkQ8Mjk52CukIz8JACbB2mRf6TIiX7w+VtgDz4+JU5D a0kAoId7qI0s5JBmiOr9NT88XzRjbcdk =fGJN -----END PGP SIGNATURE----- ------enig2AFQJFHFNKFLJQCBEPCQK--