From owner-freebsd-security@FreeBSD.ORG Sun Jan 25 03:03:36 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2ABF82CA for ; Sun, 25 Jan 2015 03:03:36 +0000 (UTC) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2D7B986A for ; Sun, 25 Jan 2015 03:03:34 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.9/8.14.9) with ESMTP id t0P33OUe075901; Sat, 24 Jan 2015 22:03:24 -0500 (EST) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.9/8.14.4/Submit) id t0P33OfO075898; Sat, 24 Jan 2015 22:03:24 -0500 (EST) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: <21700.23803.911745.834275@hergotha.csail.mit.edu> Date: Sat, 24 Jan 2015 22:03:23 -0500 From: Garrett Wollman To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: Strange package checksum report In-Reply-To: <868ugrr5r3.fsf@nine.des.no> References: <21698.32224.747971.146491@khavrinen.csail.mit.edu> <868ugrr5r3.fsf@nine.des.no> X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (hergotha.csail.mit.edu [127.0.0.1]); Sat, 24 Jan 2015 22:03:24 -0500 (EST) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on hergotha.csail.mit.edu X-Mailman-Approved-At: Sun, 25 Jan 2015 04:49:16 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Jan 2015 03:03:36 -0000 < said: > Garrett Wollman writes: >> Checking for packages with mismatched checksums: >> p5-XML-SAX-0.99_2: /usr/local/lib/perl5/site_perl/XML/SAX/ParserDeta= ils.ini > This file is updated whenever you install or remove a SAX parser, so > this is expected. There are at least half a dozen different Perl SAX= > implementations in the ports tree. So perhaps this file should be treated as, um, whatever our equivalent of a "conffile" is from dpkg-land. > These are Pyhon bytecode files. They are automatically regenerated if= > you have write access to them and Python thinks they are stale when i= t > tries to load them. Apparently, Python's definition of "stale" is > slightly more complex than just comparing timestamps; they are one of= > the reasons why Baptiste gave up reproducible package builds. That's unfortunate. Perhaps either Python can be trained to write updated copies somewhere else? Or maybe we can generate them at package installation rather than shipping pregenerated versions? (Would slow down builds of dependent packages, but those are the breaks.) > Is your clock synchronized with NTP? Is this a VM? What is the > underlying filesystem? Yes, on all machines; no; and ZFS. -GAWollman