security/libgcrypt checksum mismatch
Matthew Seaman
matthew at FreeBSD.org
Sun May 12 07:23:16 UTC 2013
On 12/05/2013 08:11, Matthew Seaman wrote:
> On 11/05/2013 22:15, RW wrote:
>> FWIW I fetch files like this:
>>
>>
>> for porg in `pkg version -Iol'<' |awk '{ print $1 }'` ; do
>> echo "Checking - ${porg}"
>> cd /usr/ports/${porg}
>> make checksum || (
>> export RANDOMIZE_MASTER_SITES=yes
>> make distclean
>> make checksum
>> )
>> done
>>
>> I do it that way because it avoids a lot of problems with rerolled
>> files, but it would help with this problem too.
>
> I'm sorry, but this is a really bad idea and an irresponsible thing to
> advise anyone else to do. You're throwing away all the security
> benefits of using checksums, which are essentially that you can tell if
> anyone has tampered with the distfiles you intend to compile.
>
> If you don't understand why that matters, then try reading this:
>
> http://slashdot.org/comments.pl?sid=37188&cid=3991288
> http://www.mavetju.org/unix/openssh-trojan.php
Damn. I'm sorry. I misread your code. It's perfectly fine.
I apologise unreservedly for my earlier message.
Matthew
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 268 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20130512/8f78361e/attachment-0001.sig>
More information about the freebsd-ports
mailing list