security/libgcrypt checksum mismatch
Matthew Seaman
matthew at FreeBSD.org
Sun May 12 07:11:38 UTC 2013
On 11/05/2013 22:15, RW wrote:
> FWIW I fetch files like this:
>
>
> for porg in `pkg version -Iol'<' |awk '{ print $1 }'` ; do
> echo "Checking - ${porg}"
> cd /usr/ports/${porg}
> make checksum || (
> export RANDOMIZE_MASTER_SITES=yes
> make distclean
> make checksum
> )
> done
>
> I do it that way because it avoids a lot of problems with rerolled
> files, but it would help with this problem too.
I'm sorry, but this is a really bad idea and an irresponsible thing to
advise anyone else to do. You're throwing away all the security
benefits of using checksums, which are essentially that you can tell if
anyone has tampered with the distfiles you intend to compile.
If you don't understand why that matters, then try reading this:
http://slashdot.org/comments.pl?sid=37188&cid=3991288
http://www.mavetju.org/unix/openssh-trojan.php
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 268 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20130512/cfeee1a8/attachment.sig>
More information about the freebsd-ports
mailing list