Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 28 May 2012 12:06:34 -0500
From:      Stephen Montgomery-Smith <stephen@missouri.edu>
To:        Jason Helfman <jhelfman@e-e.com>
Cc:        Eitan Adler <lists@eitanadler.com>, sam.lin4ml@gmail.com, nikola.lecic@anthesphoria.net, freebsd-ports@FreeBSD.org, re <romain@blogreen.org>
Subject:   Re: Request to review: print/texlive-install
Message-ID:  <4FC3B09A.7070301@missouri.edu>
In-Reply-To: <de151b011cedb67a9030ce6d7517703b.squirrel@mail.experts-exchange.com>
References:  <CACsYpVOz1tnWO5e4S_OOSDGa7Q8OkztJ6HagHy58FY0J5RNCqQ@mail.gmail.com> <20120526090137.001691dc@scorpio> <ac8cb42c8cfedc59d2c7d6ccde74c476@anthesphoria.net> <4FC0F8EA.1090005@missouri.edu> <b532d4fdda7e4dfb99d4b4266fe7fe3c@anthesphoria.net> <4FC11B66.9000302@missouri.edu> <4b8eeb05337b220f301268ce014a159d@anthesphoria.net> <4FC2D159.4050801@missouri.edu> <CAF6rxg==b8BMsAoRaQY39StgxAQu7xCN2yt_K8mYH753nZm_7w@mail.gmail.com> <4FC387A9.5070700@missouri.edu> <de151b011cedb67a9030ce6d7517703b.squirrel@mail.experts-exchange.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 05/28/2012 11:29 AM, Jason Helfman wrote:
>> On 05/27/2012 09:19 PM, Eitan Adler wrote:
>>> On 27 May 2012 18:14, Stephen Montgomery-Smith<stephen@missouri.edu>
>>> wrote:
>>>> There are a number of issues.  In particular there is no checksum
>>>> calculated
>>>> for install-tl-unx.tar.gz because I suspect that it changes very often.
>>>
>>> This is a security risk and must not be committed as is.
>>
>> How about if I add lines like this:
>>
>> .if !defined(IGNORE_SECURITY_RISK)
>> IGNORE=         has a security risk because it downloads a file \
>> without a checksum.  Define IGNORE_SECURITY_RISK to build this port
>> .endif
>>
>> Would it be considered OK to commit it then?
>
> Does the code look for a particular location for this file to exist before
> attempting to download it? If not, can it be patched, to do so?
>
> If so, it can be added as a distfile, and put into a location where the
> build will find it.

Yes, I can do this.  But the file changes often, so one would have to 
update distinfo in the ports very often to keep up.

> If this can be done, there wouldn't be a security risk, assuming no other
> files are downloaded post-fetch.

And the install script downloads everything during the "do-install" phase.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FC3B09A.7070301>