Date: Sun, 12 May 2013 08:23:11 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-ports@freebsd.org Subject: Re: security/libgcrypt checksum mismatch Message-ID: <518F435F.70508@FreeBSD.org> In-Reply-To: <518F4095.7050509@FreeBSD.org> References: <201305111044.r4BAiMuH059762@mech-cluster241.men.bris.ac.uk> <20130511110107.GB94348@titania.njm.me.uk> <518E2913.5040402@hayers.org> <20130511115228.GC94348@titania.njm.me.uk> <20130511135946.GE94348@titania.njm.me.uk> <20130511173952.638bbe7b@bsd64.grem.de> <20130511221505.54aadc87@gumby.homeunix.com> <518F4095.7050509@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2AFQJFHFNKFLJQCBEPCQK
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 12/05/2013 08:11, Matthew Seaman wrote:
> On 11/05/2013 22:15, RW wrote:
>> FWIW I fetch files like this:
>>
>>
>> for porg in `pkg version -Iol'<' |awk '{ print $1 }'` ; do
>> echo "Checking - ${porg}"
>> cd /usr/ports/${porg}=20
>> make checksum || (
>> export RANDOMIZE_MASTER_SITES=3Dyes=20
>> make distclean
>> make checksum
>> )=20
>> done
>>
>> I do it that way because it avoids a lot of problems with rerolled
>> files, but it would help with this problem too.=20
>=20
> I'm sorry, but this is a really bad idea and an irresponsible thing to
> advise anyone else to do. You're throwing away all the security
> benefits of using checksums, which are essentially that you can tell if=
> anyone has tampered with the distfiles you intend to compile.
>=20
> If you don't understand why that matters, then try reading this:
>=20
> http://slashdot.org/comments.pl?sid=3D37188&cid=3D3991288
> http://www.mavetju.org/unix/openssh-trojan.php
Damn. I'm sorry. I misread your code. It's perfectly fine.
I apologise unreservedly for my earlier message.
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
------enig2AFQJFHFNKFLJQCBEPCQK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGPQ18ACgkQ8Mjk52CukIz8JACbB2mRf6TIiX7w+VtgDz4+JU5D
a0kAoId7qI0s5JBmiOr9NT88XzRjbcdk
=fGJN
-----END PGP SIGNATURE-----
------enig2AFQJFHFNKFLJQCBEPCQK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?518F435F.70508>