Date: Sun, 12 May 2013 08:11:17 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-ports@freebsd.org Subject: Re: security/libgcrypt checksum mismatch Message-ID: <518F4095.7050509@FreeBSD.org> In-Reply-To: <20130511221505.54aadc87@gumby.homeunix.com> References: <201305111044.r4BAiMuH059762@mech-cluster241.men.bris.ac.uk> <20130511110107.GB94348@titania.njm.me.uk> <518E2913.5040402@hayers.org> <20130511115228.GC94348@titania.njm.me.uk> <20130511135946.GE94348@titania.njm.me.uk> <20130511173952.638bbe7b@bsd64.grem.de> <20130511221505.54aadc87@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2VDGJXCDHVSJKMGUABMLX Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 11/05/2013 22:15, RW wrote: > FWIW I fetch files like this: >=20 >=20 > for porg in `pkg version -Iol'<' |awk '{ print $1 }'` ; do > echo "Checking - ${porg}" > cd /usr/ports/${porg}=20 > make checksum || ( > export RANDOMIZE_MASTER_SITES=3Dyes=20 > make distclean > make checksum > )=20 > done >=20 > I do it that way because it avoids a lot of problems with rerolled > files, but it would help with this problem too.=20 I'm sorry, but this is a really bad idea and an irresponsible thing to advise anyone else to do. You're throwing away all the security benefits of using checksums, which are essentially that you can tell if anyone has tampered with the distfiles you intend to compile. If you don't understand why that matters, then try reading this: http://slashdot.org/comments.pl?sid=3D37188&cid=3D3991288 http://www.mavetju.org/unix/openssh-trojan.php Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey ------enig2VDGJXCDHVSJKMGUABMLX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGPQJwACgkQ8Mjk52CukIyISwCdG6rq+R7/HlOxwh7IpaMsegTp tVoAn3/QBVd8DlKeE3YU1GgcWNEheKmb =ptqR -----END PGP SIGNATURE----- ------enig2VDGJXCDHVSJKMGUABMLX--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?518F4095.7050509>