Date: Sat, 11 May 2013 22:15:05 +0100 From: RW <rwmaillists@googlemail.com> To: ports@freebsd.org Subject: Re: security/libgcrypt checksum mismatch Message-ID: <20130511221505.54aadc87@gumby.homeunix.com> In-Reply-To: <20130511173952.638bbe7b@bsd64.grem.de> References: <201305111044.r4BAiMuH059762@mech-cluster241.men.bris.ac.uk> <20130511110107.GB94348@titania.njm.me.uk> <518E2913.5040402@hayers.org> <20130511115228.GC94348@titania.njm.me.uk> <20130511135946.GE94348@titania.njm.me.uk> <20130511173952.638bbe7b@bsd64.grem.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 11 May 2013 17:39:52 +0200 Michael Gmelin wrote: > Besides the fact that ISPs really shouldn't interfere with your HTTP > traffic in that way (terrible!), preferring FTP sounds like a bad > idea, since it's a lot more complicated protocol and therefore more > likely to fail in limited network setups. There are a couple of > possible solutions, some more useful than others. I doubt it makes much difference, fetch can request ftp urls through an http proxy which eliminates a lot of the potential problems, and even in the worst case FreeBSD will fall through to an HTTP link. > 1. Avoid ISPs that break your traffic. > Caveat: Sometimes you have no choice. > 2. Use HTTPS whenever possible, so that certificate checking can take > place and stop you from downloading broken files in the first > place. (there's a patch to fetch I'm working on with des that will > hopefully make it to base soon). > Caveat: Not every project provides an SSL enabled source, lots of > ports need to be adapted, never near 100%. On the whole caching is a good thing. HTTPS sounds more trouble than it's worth to me. > 3. Modify the ports framework, so you can set an environment/config > variable like PREFER_HTTP or PREFER_FTP. > Caveat: It's work and not *that* useful. You can already do this with: MASTER_SORT_REGEX?= ^ftp: I used to do it the other way around because my ISP preferred cached HTTP in their traffic shaping. > 4. Modify the ports framework, so it tries the next download location > in case there is a file size or checksum mismatch. > Caveat: Requires effort. > > IMHO implementing 4 would make a lot sense to compensate for broken > mirrors. FWIW I fetch files like this: for porg in `pkg version -Iol'<' |awk '{ print $1 }'` ; do echo "Checking - ${porg}" cd /usr/ports/${porg} make checksum || ( export RANDOMIZE_MASTER_SITES=yes make distclean make checksum ) done I do it that way because it avoids a lot of problems with rerolled files, but it would help with this problem too.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130511221505.54aadc87>