Date: Sat, 11 May 2013 17:39:52 +0200 From: Michael Gmelin <freebsd@grem.de> To: freebsd-ports@freebsd.org Cc: "N.J. Mann" <njm@njm.me.uk> Subject: Re: security/libgcrypt checksum mismatch Message-ID: <20130511173952.638bbe7b@bsd64.grem.de> In-Reply-To: <20130511135946.GE94348@titania.njm.me.uk> References: <201305111044.r4BAiMuH059762@mech-cluster241.men.bris.ac.uk> <20130511110107.GB94348@titania.njm.me.uk> <518E2913.5040402@hayers.org> <20130511115228.GC94348@titania.njm.me.uk> <20130511135946.GE94348@titania.njm.me.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 11 May 2013 14:59:46 +0100 "N.J. Mann" <njm@njm.me.uk> wrote: > In message <20130511115228.GC94348@titania.njm.me.uk>, > N.J. Mann (njm@njm.me.uk) wrote: > > In message <518E2913.5040402@hayers.org>, > > Gary J. Hayers (gary@hayers.org) wrote: > > > I've been getting this with varying ports for some time now, > > > sometimes I've had to manually fetch the distfiles. > > > > I am sorry to hear this, but glad I am not the only one. :-) > > > > The files I have had to manually fetch are: > > > > libgcrypt-1.5.2.tar.bz2 > > libassuan-2.0.3.tar.bz2 > > libassuan-2.0.3.tar.bz2.sig > > libksba-1.3.0.tar.bz2 > > libksba-1.3.0.tar.bz2.sig > > gnupg-2.0.19.tar.bz2 > > gnupg-2.0.19.tar.bz2.sig > > gnupg-2.0.20.tar.bz2 > > gnupg-2.0.20.tar.bz2.sig > > I now know why I get HTML files when trying to fetch these distfiles. > The common factor is that they all use HTTP rather FTP for fetching. > For HTTP fetches my ISP (British Telecom, aka BT) will display a > "helpful" 'sorry no one at home' web page when the fetch fails, and > that is what I end up with in the distfile. Thankfully, this 'nice' > feature can be disabled. Once disabled 'make fetch' does its job of > trying the next site after the failure and the proper file(s) are > downloaded. > > I do not know whether other ISPs do something similar, does anyone? I > wonder whether FTP sites should be listed before HTTP ones? > > > Cheers, > Nick. Hi Nick, Besides the fact that ISPs really shouldn't interfere with your HTTP traffic in that way (terrible!), preferring FTP sounds like a bad idea, since it's a lot more complicated protocol and therefore more likely to fail in limited network setups. There are a couple of possible solutions, some more useful than others. 1. Avoid ISPs that break your traffic. Caveat: Sometimes you have no choice. 2. Use HTTPS whenever possible, so that certificate checking can take place and stop you from downloading broken files in the first place. (there's a patch to fetch I'm working on with des that will hopefully make it to base soon). Caveat: Not every project provides an SSL enabled source, lots of ports need to be adapted, never near 100%. 3. Modify the ports framework, so you can set an environment/config variable like PREFER_HTTP or PREFER_FTP. Caveat: It's work and not *that* useful. 4. Modify the ports framework, so it tries the next download location in case there is a file size or checksum mismatch. Caveat: Requires effort. IMHO implementing 4 would make a lot sense to compensate for broken mirrors. In the meantime, as a workaround, you could set HTTP_PROXY=127.0.0.1:12000 (or any other unused port on your system) That way fetch fails on all HTTP sites and therefore effectively uses FTP instead. Cheers, Michael -- Michael Gmelin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130511173952.638bbe7b>