Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 26 Jan 2006 12:28:22 +1100
From:      Peter Jeremy <PeterJeremy@optushome.com.au>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        cvs-ports@freebsd.org, ports-committers@freebsd.org, cvs-all@freebsd.org, Edwin Groothuis <edwin@freebsd.org>
Subject:   Re: cvs commit: ports/Tools/scripts distinfochecker
Message-ID:  <20060126012822.GM25397@cirb503493.alcatel.com.au>
In-Reply-To: <20060125233838.GA50579@xor.obsecurity.org>
References:  <200601242153.k0OLrpJQ065888@repoman.freebsd.org> <20060125233838.GA50579@xor.obsecurity.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2006-Jan-25 18:38:40 -0500, Kris Kennaway wrote:
>AFAIK duplicate checksums are OK - they are useful if e.g. mirrors
>have different versions of the distfile that are functionally
>identical.  Duplicate SIZE causes errors though (arguably a bug).

Different, but functionally identical, versions of a distfile are
highly likely to also have different sizes.  If you're going to allow
different checksums, you need to allow for different sizes as well.

Doing this without opening potential security holes means changing the
distfiles entries to be tuples of {filename,size,md5,shd-256} (where
anything except the filename is optional).  A downloaded file would
have to completely match one of the tuples for it to be acceptable.

How many cases are there where there are multiple, equivalent,
versions of distfiles on the net?

-- 
Peter Jeremy



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060126012822.GM25397>