Date: Sun, 12 May 2013 08:23:11 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-ports@freebsd.org Subject: Re: security/libgcrypt checksum mismatch Message-ID: <518F435F.70508@FreeBSD.org> In-Reply-To: <518F4095.7050509@FreeBSD.org> References: <201305111044.r4BAiMuH059762@mech-cluster241.men.bris.ac.uk> <20130511110107.GB94348@titania.njm.me.uk> <518E2913.5040402@hayers.org> <20130511115228.GC94348@titania.njm.me.uk> <20130511135946.GE94348@titania.njm.me.uk> <20130511173952.638bbe7b@bsd64.grem.de> <20130511221505.54aadc87@gumby.homeunix.com> <518F4095.7050509@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2AFQJFHFNKFLJQCBEPCQK Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 12/05/2013 08:11, Matthew Seaman wrote: > On 11/05/2013 22:15, RW wrote: >> FWIW I fetch files like this: >> >> >> for porg in `pkg version -Iol'<' |awk '{ print $1 }'` ; do >> echo "Checking - ${porg}" >> cd /usr/ports/${porg}=20 >> make checksum || ( >> export RANDOMIZE_MASTER_SITES=3Dyes=20 >> make distclean >> make checksum >> )=20 >> done >> >> I do it that way because it avoids a lot of problems with rerolled >> files, but it would help with this problem too.=20 >=20 > I'm sorry, but this is a really bad idea and an irresponsible thing to > advise anyone else to do. You're throwing away all the security > benefits of using checksums, which are essentially that you can tell if= > anyone has tampered with the distfiles you intend to compile. >=20 > If you don't understand why that matters, then try reading this: >=20 > http://slashdot.org/comments.pl?sid=3D37188&cid=3D3991288 > http://www.mavetju.org/unix/openssh-trojan.php Damn. I'm sorry. I misread your code. It's perfectly fine. I apologise unreservedly for my earlier message. Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey ------enig2AFQJFHFNKFLJQCBEPCQK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGPQ18ACgkQ8Mjk52CukIz8JACbB2mRf6TIiX7w+VtgDz4+JU5D a0kAoId7qI0s5JBmiOr9NT88XzRjbcdk =fGJN -----END PGP SIGNATURE----- ------enig2AFQJFHFNKFLJQCBEPCQK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?518F435F.70508>