From owner-freebsd-ports@FreeBSD.ORG  Mon May 28 17:06:48 2012
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D00D3106566B
	for <freebsd-ports@FreeBSD.org>; Mon, 28 May 2012 17:06:48 +0000 (UTC)
	(envelope-from stephen@missouri.edu)
Received: from wilberforce.math.missouri.edu (wilberforce.math.missouri.edu
	[128.206.184.213])
	by mx1.freebsd.org (Postfix) with ESMTP id 8DE5A8FC17
	for <freebsd-ports@FreeBSD.org>; Mon, 28 May 2012 17:06:48 +0000 (UTC)
Received: from [127.0.0.1] (wilberforce.math.missouri.edu [128.206.184.213])
	by wilberforce.math.missouri.edu (8.14.5/8.14.5) with ESMTP id
	q4SH6Ybb021839; Mon, 28 May 2012 12:06:34 -0500 (CDT)
	(envelope-from stephen@missouri.edu)
Message-ID: <4FC3B09A.7070301@missouri.edu>
Date: Mon, 28 May 2012 12:06:34 -0500
From: Stephen Montgomery-Smith <stephen@missouri.edu>
User-Agent: Mozilla/5.0 (X11; Linux i686;
	rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: Jason Helfman <jhelfman@e-e.com>
References: <CACsYpVOz1tnWO5e4S_OOSDGa7Q8OkztJ6HagHy58FY0J5RNCqQ@mail.gmail.com>
	<20120526090137.001691dc@scorpio>
	<ac8cb42c8cfedc59d2c7d6ccde74c476@anthesphoria.net>
	<4FC0F8EA.1090005@missouri.edu>
	<b532d4fdda7e4dfb99d4b4266fe7fe3c@anthesphoria.net>
	<4FC11B66.9000302@missouri.edu>
	<4b8eeb05337b220f301268ce014a159d@anthesphoria.net>
	<4FC2D159.4050801@missouri.edu>
	<CAF6rxg==b8BMsAoRaQY39StgxAQu7xCN2yt_K8mYH753nZm_7w@mail.gmail.com>
	<4FC387A9.5070700@missouri.edu>
	<de151b011cedb67a9030ce6d7517703b.squirrel@mail.experts-exchange.com>
In-Reply-To: <de151b011cedb67a9030ce6d7517703b.squirrel@mail.experts-exchange.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Eitan Adler <lists@eitanadler.com>, sam.lin4ml@gmail.com,
	nikola.lecic@anthesphoria.net, freebsd-ports@FreeBSD.org,
	re <romain@blogreen.org>
Subject: Re: Request to review: print/texlive-install
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 May 2012 17:06:48 -0000

On 05/28/2012 11:29 AM, Jason Helfman wrote:
>> On 05/27/2012 09:19 PM, Eitan Adler wrote:
>>> On 27 May 2012 18:14, Stephen Montgomery-Smith<stephen@missouri.edu>
>>> wrote:
>>>> There are a number of issues.  In particular there is no checksum
>>>> calculated
>>>> for install-tl-unx.tar.gz because I suspect that it changes very often.
>>>
>>> This is a security risk and must not be committed as is.
>>
>> How about if I add lines like this:
>>
>> .if !defined(IGNORE_SECURITY_RISK)
>> IGNORE=         has a security risk because it downloads a file \
>> without a checksum.  Define IGNORE_SECURITY_RISK to build this port
>> .endif
>>
>> Would it be considered OK to commit it then?
>
> Does the code look for a particular location for this file to exist before
> attempting to download it? If not, can it be patched, to do so?
>
> If so, it can be added as a distfile, and put into a location where the
> build will find it.

Yes, I can do this.  But the file changes often, so one would have to 
update distinfo in the ports very often to keep up.

> If this can be done, there wouldn't be a security risk, assuming no other
> files are downloaded post-fetch.

And the install script downloads everything during the "do-install" phase.