Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 Jan 2019 17:29:59 +0100
From:      Franco Fichtner <franco@lastsummer.de>
To:        Stefan Bethke <stb@lassitu.de>
Cc:        freebsd-security@freebsd.org, "ports-secteam@freebsd.org" <ports-secteam@FreeBSD.org>
Subject:   Re: PEAR packages potentially contain malicious code
Message-ID:  <D6BEFD2E-DEAD-42B9-852D-8EA6679D3BE2@lastsummer.de>
In-Reply-To: <7E861664-7F7A-4461-969E-CA0570131706@lastsummer.de>
References:  <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> <8090C0B2-AF5C-4031-93A5-2F33F28B9959@FreeBSD.org> <97c1a502-293a-d5b0-3910-2954ca19c5ff@FreeBSD.org> <9F62C279-D5B3-443C-91F6-E0D4339A68D4@lassitu.de> <ADCF732E-2606-454A-866C-C091F90B2E5E@lassitu.de> <7E861664-7F7A-4461-969E-CA0570131706@lastsummer.de>
next in thread | previous in thread | raw e-mail | index | archive | help 

Apologies, I mixed up this one and the other thread.


Cheers,
Franco

> On 22. Jan 2019, at 5:27 PM, Franco Fichtner <franco@lastsummer.de> wrote:
> 
> 
>> On 22. Jan 2019, at 5:15 PM, Stefan Bethke <stb@lassitu.de> wrote:
>> 
>> On top of ports and packages depending on PEAR modules, some ports download archives containing vendored versions, for example, mail/roundcube. For roundcube, I opened https://github.com/roundcube/roundcubemail/issues/6598 to clarify.
> 
> I fail to understand how mismatching package checksums for
> cached package files are indication of compromised distfiles
> which have pinned size and checksums in the FreeBSD ports
> tree since forever.
> 
> If you say you build your own packages (and install them)
> a mismatch in pkg-cache files is normal because pkg will
> complain about a drift between the mirror-provided packages
> and your local ones when it detects them which happens when
> you have a package file created from different sources,
> the ports tree and the binary mirror.
> 
> This will likely get rid of the mismatch by merely purging
> your local package cache...
> 
> # pkg clean -ya
> 
> 
> Cheers,
> Franco

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D6BEFD2E-DEAD-42B9-852D-8EA6679D3BE2>