Date: Fri, 12 Apr 2013 07:49:20 -0400 From: Lowell Gilbert <freebsd-ports-local@be-well.ilk.org> To: freebsd-ports@freebsd.org Subject: Re: FTP packages missing CHECKSUM.MD5 Message-ID: <44ehegarzz.fsf@lowell-desk.lan> In-Reply-To: <CAD2Ti28GKA1QGOyGwdz5OxJCG1zC8w4=WzOL1cp%2Bqbr7YjxkUQ@mail.gmail.com> (grarpamp@gmail.com's message of "Thu, 11 Apr 2013 14:15:50 -0400") References: <CAD2Ti28GKA1QGOyGwdz5OxJCG1zC8w4=WzOL1cp%2Bqbr7YjxkUQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
grarpamp <grarpamp@gmail.com> writes: > Noticed that at least ports/i386/packages-9-stable is missing > its CHECKSUM.MD5 file. > > Of course people shouldn't use it for what they think it's for, > because it's not signed and uses a broken hash function. > Hopefully that will be updated to signed sha1/256/3 before long. It was intended as a defense against accidental file corruption, not malicious file corruption. For a variety of reasons, this is much less of a problem that it used to be, but I wouldn't assume that it's irrelevant to everyone. Secure checksums for protection against malicious modifications is a different problem, and should be handled with more-automatic means, much as portsnap does. > However it does make for a good 'TIMESTAMP' file to detect when > new packages appear. Ftp's internal or external 'ls -tT' can't be counted > on for this across mirrors because such options to ls are mirror dependant. > And there's no simple way to locally sort the ftp list output by date > without rigging in perl, etc. And an overwrite of the same file may not > stamp the parent directory, which also doesn't appear reliably '.' while > in the current directory. > > In short, I'd suggest making a formal TIMESTAMP file for when package > updates are pushed out so people can key off that instead. Pretty easy and cheap. Makes sense as well.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44ehegarzz.fsf>