From owner-cvs-ports@FreeBSD.ORG  Thu Jan 26 01:28:26 2006
Return-Path: <owner-cvs-ports@FreeBSD.ORG>
X-Original-To: cvs-ports@freebsd.org
Delivered-To: cvs-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4C63416A420;
	Thu, 26 Jan 2006 01:28:26 +0000 (GMT)
	(envelope-from PeterJeremy@optushome.com.au)
Received: from mail05.syd.optusnet.com.au (mail05.syd.optusnet.com.au
	[211.29.132.186])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9392743D45;
	Thu, 26 Jan 2006 01:28:25 +0000 (GMT)
	(envelope-from PeterJeremy@optushome.com.au)
Received: from cirb503493.alcatel.com.au
	(c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236])
	by mail05.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id
	k0Q1SMJu012374
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Thu, 26 Jan 2006 12:28:23 +1100
Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])
	by cirb503493.alcatel.com.au (8.12.10/8.12.10) with ESMTP id
	k0Q1SMHh041266; Thu, 26 Jan 2006 12:28:22 +1100 (EST)
	(envelope-from pjeremy@cirb503493.alcatel.com.au)
Received: (from pjeremy@localhost)
	by cirb503493.alcatel.com.au (8.12.10/8.12.9/Submit) id k0Q1SMiO041265; 
	Thu, 26 Jan 2006 12:28:22 +1100 (EST) (envelope-from pjeremy)
Date: Thu, 26 Jan 2006 12:28:22 +1100
From: Peter Jeremy <PeterJeremy@optushome.com.au>
To: Kris Kennaway <kris@obsecurity.org>
Message-ID: <20060126012822.GM25397@cirb503493.alcatel.com.au>
References: <200601242153.k0OLrpJQ065888@repoman.freebsd.org>
	<20060125233838.GA50579@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20060125233838.GA50579@xor.obsecurity.org>
X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc
User-Agent: Mutt/1.5.11
Cc: cvs-ports@freebsd.org, ports-committers@freebsd.org, cvs-all@freebsd.org,
	Edwin Groothuis <edwin@freebsd.org>
Subject: Re: cvs commit: ports/Tools/scripts distinfochecker
X-BeenThere: cvs-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the ports tree <cvs-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-ports>,
	<mailto:cvs-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-ports>
List-Post: <mailto:cvs-ports@freebsd.org>
List-Help: <mailto:cvs-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-ports>,
	<mailto:cvs-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2006 01:28:26 -0000

On Wed, 2006-Jan-25 18:38:40 -0500, Kris Kennaway wrote:
>AFAIK duplicate checksums are OK - they are useful if e.g. mirrors
>have different versions of the distfile that are functionally
>identical.  Duplicate SIZE causes errors though (arguably a bug).

Different, but functionally identical, versions of a distfile are
highly likely to also have different sizes.  If you're going to allow
different checksums, you need to allow for different sizes as well.

Doing this without opening potential security holes means changing the
distfiles entries to be tuples of {filename,size,md5,shd-256} (where
anything except the filename is optional).  A downloaded file would
have to completely match one of the tuples for it to be acceptable.

How many cases are there where there are multiple, equivalent,
versions of distfiles on the net?

-- 
Peter Jeremy