cvs commit: ports/Tools/scripts distinfochecker
Kris Kennaway
kris at obsecurity.org
Wed Jan 25 17:35:54 PST 2006
On Thu, Jan 26, 2006 at 12:28:22PM +1100, Peter Jeremy wrote:
> On Wed, 2006-Jan-25 18:38:40 -0500, Kris Kennaway wrote:
> >AFAIK duplicate checksums are OK - they are useful if e.g. mirrors
> >have different versions of the distfile that are functionally
> >identical. Duplicate SIZE causes errors though (arguably a bug).
>
> Different, but functionally identical, versions of a distfile are
> highly likely to also have different sizes. If you're going to allow
> different checksums, you need to allow for different sizes as well.
Yeah, currently you'd have to drop the size checking (which is mostly
just an optimization to avoid downloading changed/corrupted versions).
> Doing this without opening potential security holes means changing the
> distfiles entries to be tuples of {filename,size,md5,shd-256} (where
> anything except the filename is optional). A downloaded file would
> have to completely match one of the tuples for it to be acceptable.
>
> How many cases are there where there are multiple, equivalent,
> versions of distfiles on the net?
A distfile somewhere in the ports collection changes checksum about
once a week or so. I don't have data on how often the above situation
(different versions on different sites) occurs, but it must occur
occasionally when the software mirror sites are not quick to update.
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-all/attachments/20060125/7578d441/attachment.bin
More information about the cvs-all
mailing list