Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 12 May 2013 08:11:17 +0100
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-ports@freebsd.org
Subject:   Re: security/libgcrypt checksum mismatch
Message-ID:  <518F4095.7050509@FreeBSD.org>
In-Reply-To: <20130511221505.54aadc87@gumby.homeunix.com>
References:  <201305111044.r4BAiMuH059762@mech-cluster241.men.bris.ac.uk> <20130511110107.GB94348@titania.njm.me.uk> <518E2913.5040402@hayers.org> <20130511115228.GC94348@titania.njm.me.uk> <20130511135946.GE94348@titania.njm.me.uk> <20130511173952.638bbe7b@bsd64.grem.de> <20130511221505.54aadc87@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2VDGJXCDHVSJKMGUABMLX
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 11/05/2013 22:15, RW wrote:
> FWIW I fetch files like this:
>=20
>=20
>   for porg in `pkg version -Iol'<' |awk '{ print $1 }'`  ; do
>       echo "Checking - ${porg}"
>       cd  /usr/ports/${porg}=20
>       make checksum || (
>          export RANDOMIZE_MASTER_SITES=3Dyes=20
>          make distclean
>          make checksum
>      )=20
>   done
>=20
> I do it that way because it avoids a lot of problems with rerolled
> files, but it would help with this problem too.=20

I'm sorry, but this is a really bad idea and an irresponsible thing to
advise anyone else to do.  You're throwing away all the security
benefits of using checksums, which are essentially that you can tell if
anyone has tampered with the distfiles you intend to compile.

If you don't understand why that matters, then try reading this:

http://slashdot.org/comments.pl?sid=3D37188&cid=3D3991288
http://www.mavetju.org/unix/openssh-trojan.php

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey



------enig2VDGJXCDHVSJKMGUABMLX
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGPQJwACgkQ8Mjk52CukIyISwCdG6rq+R7/HlOxwh7IpaMsegTp
tVoAn3/QBVd8DlKeE3YU1GgcWNEheKmb
=ptqR
-----END PGP SIGNATURE-----

------enig2VDGJXCDHVSJKMGUABMLX--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?518F4095.7050509>