Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 28 May 2012 09:29:36 -0700
From:      "Jason Helfman" <jhelfman@e-e.com>
To:        "Stephen Montgomery-Smith" <stephen@missouri.edu>
Cc:        Eitan Adler <lists@eitanadler.com>, sam.lin4ml@gmail.com, nikola.lecic@anthesphoria.net, freebsd-ports@freebsd.org, re <romain@blogreen.org>
Subject:   Re: Request to review: print/texlive-install
Message-ID:  <de151b011cedb67a9030ce6d7517703b.squirrel@mail.experts-exchange.com>
In-Reply-To: <4FC387A9.5070700@missouri.edu>
References:  <CACsYpVOz1tnWO5e4S_OOSDGa7Q8OkztJ6HagHy58FY0J5RNCqQ@mail.gmail.com> <20120526090137.001691dc@scorpio> <ac8cb42c8cfedc59d2c7d6ccde74c476@anthesphoria.net> <4FC0F8EA.1090005@missouri.edu> <b532d4fdda7e4dfb99d4b4266fe7fe3c@anthesphoria.net> <4FC11B66.9000302@missouri.edu> <4b8eeb05337b220f301268ce014a159d@anthesphoria.net> <4FC2D159.4050801@missouri.edu> <CAF6rxg==b8BMsAoRaQY39StgxAQu7xCN2yt_K8mYH753nZm_7w@mail.gmail.com> <4FC387A9.5070700@missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
> On 05/27/2012 09:19 PM, Eitan Adler wrote:
>> On 27 May 2012 18:14, Stephen Montgomery-Smith<stephen@missouri.edu>
>> wrote:
>>> There are a number of issues.  In particular there is no checksum
>>> calculated
>>> for install-tl-unx.tar.gz because I suspect that it changes very often.
>>
>> This is a security risk and must not be committed as is.
>
> How about if I add lines like this:
>
> .if !defined(IGNORE_SECURITY_RISK)
> IGNORE=         has a security risk because it downloads a file \
> without a checksum.  Define IGNORE_SECURITY_RISK to build this port
> .endif
>
> Would it be considered OK to commit it then?

Does the code look for a particular location for this file to exist before
attempting to download it? If not, can it be patched, to do so?

If so, it can be added as a distfile, and put into a location where the
build will find it.

If this can be done, there wouldn't be a security risk, assuming no other
files are downloaded post-fetch.

-jgh

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?de151b011cedb67a9030ce6d7517703b.squirrel>