From owner-cvs-all@FreeBSD.ORG Thu Jan 26 01:35:54 2006 Return-Path: X-Original-To: cvs-all@freebsd.org Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38FB016A420; Thu, 26 Jan 2006 01:35:54 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 614F243D69; Thu, 26 Jan 2006 01:35:49 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 4A1A71A3C1C; Wed, 25 Jan 2006 17:35:49 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8A9C351DA0; Wed, 25 Jan 2006 20:35:48 -0500 (EST) Date: Wed, 25 Jan 2006 20:35:48 -0500 From: Kris Kennaway To: Peter Jeremy Message-ID: <20060126013548.GC57519@xor.obsecurity.org> References: <200601242153.k0OLrpJQ065888@repoman.freebsd.org> <20060125233838.GA50579@xor.obsecurity.org> <20060126012822.GM25397@cirb503493.alcatel.com.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lMM8JwqTlfDpEaS6" Content-Disposition: inline In-Reply-To: <20060126012822.GM25397@cirb503493.alcatel.com.au> User-Agent: Mutt/1.4.2.1i Cc: cvs-ports@freebsd.org, ports-committers@freebsd.org, Edwin Groothuis , cvs-all@freebsd.org, Kris Kennaway Subject: Re: cvs commit: ports/Tools/scripts distinfochecker X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2006 01:35:54 -0000 --lMM8JwqTlfDpEaS6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 26, 2006 at 12:28:22PM +1100, Peter Jeremy wrote: > On Wed, 2006-Jan-25 18:38:40 -0500, Kris Kennaway wrote: > >AFAIK duplicate checksums are OK - they are useful if e.g. mirrors > >have different versions of the distfile that are functionally > >identical. Duplicate SIZE causes errors though (arguably a bug). >=20 > Different, but functionally identical, versions of a distfile are > highly likely to also have different sizes. If you're going to allow > different checksums, you need to allow for different sizes as well. Yeah, currently you'd have to drop the size checking (which is mostly just an optimization to avoid downloading changed/corrupted versions). > Doing this without opening potential security holes means changing the > distfiles entries to be tuples of {filename,size,md5,shd-256} (where > anything except the filename is optional). A downloaded file would > have to completely match one of the tuples for it to be acceptable. >=20 > How many cases are there where there are multiple, equivalent, > versions of distfiles on the net? A distfile somewhere in the ports collection changes checksum about once a week or so. I don't have data on how often the above situation (different versions on different sites) occurs, but it must occur occasionally when the software mirror sites are not quick to update. Kris --lMM8JwqTlfDpEaS6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD2Cd0Wry0BWjoQKURAgDXAKDwgX4ahJtFVitqGsbUTm810PR1wwCg8BII Pe0nMC3IDZZfwu+M+HT7u5g= =v7nZ -----END PGP SIGNATURE----- --lMM8JwqTlfDpEaS6--