FTP packages missing CHECKSUM.MD5
Lowell Gilbert
freebsd-ports-local at be-well.ilk.org
Fri Apr 12 11:49:28 UTC 2013
grarpamp <grarpamp at gmail.com> writes:
> Noticed that at least ports/i386/packages-9-stable is missing
> its CHECKSUM.MD5 file.
>
> Of course people shouldn't use it for what they think it's for,
> because it's not signed and uses a broken hash function.
> Hopefully that will be updated to signed sha1/256/3 before long.
It was intended as a defense against accidental file corruption, not
malicious file corruption. For a variety of reasons, this is much less
of a problem that it used to be, but I wouldn't assume that it's
irrelevant to everyone.
Secure checksums for protection against malicious modifications is a
different problem, and should be handled with more-automatic means, much
as portsnap does.
> However it does make for a good 'TIMESTAMP' file to detect when
> new packages appear. Ftp's internal or external 'ls -tT' can't be counted
> on for this across mirrors because such options to ls are mirror dependant.
> And there's no simple way to locally sort the ftp list output by date
> without rigging in perl, etc. And an overwrite of the same file may not
> stamp the parent directory, which also doesn't appear reliably '.' while
> in the current directory.
>
> In short, I'd suggest making a formal TIMESTAMP file for when package
> updates are pushed out so people can key off that instead.
Pretty easy and cheap. Makes sense as well.
More information about the freebsd-ports
mailing list