Date: Sat, 14 Aug 2010 23:13:35 GMT From: Rene Ladan <rene@FreeBSD.org> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/149657: [bsd.port.mk] deprecate MD5 checksums in distinfo Message-ID: <201008142313.o7ENDZJJ036003@www.freebsd.org> Resent-Message-ID: <201008142320.o7ENK1AW082018@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 149657
>Category: ports
>Synopsis: [bsd.port.mk] deprecate MD5 checksums in distinfo
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sat Aug 14 23:20:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Rene Ladan
>Release: 9.0-CURRENT amd64 r211219
>Organization:
>Environment:
>Description:
Last week the possible removal of MD5 checksums in favor of SHA256 checksums from distinfo was discussed on #bsdports. dougb@ already spotted some ports without a SHA256 checksum and reported them. The consensus was that SHA256 is a stronger algorithm than MD5, making the latter redundant. so@ and/or ports-security@ might also be interested in this change request.
This patch to bsd.port.mk signals if a distinfo file contains MD5 lines and gives a non-fatal notice about it. It removes md5 from CHECKSUM_ALGORITHMS, so no new MD5 checksums are being generated, nor are they checked. While here, rename MD5_FILE to DISTINFO_FILE.
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
Index: bsd.port.mk
===================================================================
RCS file: /home/pcvs/ports/Mk/bsd.port.mk,v
retrieving revision 1.643
diff -u -r1.643 bsd.port.mk
--- bsd.port.mk 15 Jul 2010 14:48:50 -0000 1.643
+++ bsd.port.mk 14 Aug 2010 22:55:31 -0000
@@ -1130,7 +1130,7 @@
# - Different checksum algorithms to check for verifying the
# integrity of the distfiles. The absence of the algorithm
# in distinfo doesn't make it fail.
-# Default: md5 sha256
+# Default: sha256 (md5 is deprecated, allowed but unused)
# NO_CHECKSUM - Don't verify the checksum. Typically used when
# when you noticed the distfile you just fetched has
# a different checksum and you intend to verify if
@@ -2261,9 +2261,9 @@
# Use this as the first operand to always build dependency.
NONEXISTENT?= /nonexistent
-CHECKSUM_ALGORITHMS?= md5 sha256
+CHECKSUM_ALGORITHMS?= sha256
-MD5_FILE?= ${MASTERDIR}/distinfo
+DISTINFO_FILE?= ${MASTERDIR}/distinfo
MAKE_FLAGS?= -f
MAKEFILE?= Makefile
@@ -3517,10 +3517,10 @@
fi
.endif
-# set alg to any of SIZE, MD5, SHA256 (or any other checksum algorithm):
-DISTINFO_DATA?= if [ \( -n "${DISABLE_SIZE}" -a -n "${NO_CHECKSUM}" \) -o ! -f "${MD5_FILE}" ]; then exit; fi; \
+# set alg to any of SIZE, SHA256 (or any other checksum algorithm):
+DISTINFO_DATA?= if [ \( -n "${DISABLE_SIZE}" -a -n "${NO_CHECKSUM}" \) -o ! -f "${DISTINFO_FILE}" ]; then exit; fi; \
DIR=${DIST_SUBDIR}; ${AWK} -v alg=$$alg -v file=$${DIR:+$$DIR/}$${file} \
- '$$1 == alg && $$2 == "(" file ")" {print $$4}' ${MD5_FILE}
+ '$$1 == alg && $$2 == "(" file ")" {print $$4}' ${DISTINFO_FILE}
# Fetch
@@ -3551,11 +3551,11 @@
${ECHO_MSG} "=> Please correct this problem and try again."; \
exit 1; \
fi; \
- if [ -f ${MD5_FILE} -a "x${NO_CHECKSUM}" = "x" ]; then \
- _md5sum=`alg=MD5; ${DISTINFO_DATA}`; \
- if [ -z "$$_md5sum" ]; then \
- ${ECHO_MSG} "=> $${DIR:+$$DIR/}$$file is not in ${MD5_FILE}."; \
- ${ECHO_MSG} "=> Either ${MD5_FILE} is out of date, or"; \
+ if [ -f ${DISTINFO_FILE} -a "x${NO_CHECKSUM}" = "x" ]; then \
+ _sha256sum=`alg=SHA256; ${DISTINFO_DATA}`; \
+ if [ -z "$$_sha256sum" ]; then \
+ ${ECHO_MSG} "=> $${DIR:+$$DIR/}$$file is not in ${DISTINFO_FILE}."; \
+ ${ECHO_MSG} "=> Either ${DISTINFO_FILE} is out of date, or"; \
${ECHO_MSG} "=> $${DIR:+$$DIR/}$$file is spelled incorrectly."; \
exit 1; \
fi; \
@@ -4769,7 +4769,7 @@
fi ; \
for site in `eval $$SORTED_MASTER_SITES_CMD_TMP ${_RANDOMIZE_SITES}`; do \
DIR=${DIST_SUBDIR}; \
- CKSIZE=`${GREP} "^SIZE ($${DIR:+$$DIR/}$$file)" ${MD5_FILE} | ${AWK} '{print $$4}'`; \
+ CKSIZE=`${GREP} "^SIZE ($${DIR:+$$DIR/}$$file)" ${DISTINFO_FILE} | ${AWK} '{print $$4}'`; \
case $${file} in \
*/*) args="-o $${file} $${site}$${file}";; \
*) args=$${site}$${file};; \
@@ -4800,7 +4800,7 @@
fi ; \
for site in `eval $$SORTED_PATCH_SITES_CMD_TMP ${_RANDOMIZE_SITES}`; do \
DIR=${DIST_SUBDIR}; \
- CKSIZE=`${GREP} "^SIZE ($${DIR:+$$DIR/}$$file)" ${MD5_FILE} | ${AWK} '{print $$4}'`; \
+ CKSIZE=`${GREP} "^SIZE ($${DIR:+$$DIR/}$$file)" ${DISTINFO_FILE} | ${AWK} '{print $$4}'`; \
case $${file} in \
*/*) args="-o $${file} $${site}$${file}";; \
*) args=$${site}$${file};; \
@@ -4858,7 +4858,7 @@
makesum: check-checksum-algorithms
@cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} fetch NO_CHECKSUM=yes \
DISABLE_SIZE=yes
- @if [ -f ${MD5_FILE} ]; then ${CAT} /dev/null > ${MD5_FILE}; fi
+ @if [ -f ${DISTINFO_FILE} ]; then ${CAT} /dev/null > ${DISTINFO_FILE}; fi
@( \
cd ${DISTDIR}; \
\
@@ -4869,17 +4869,17 @@
eval alg_executable=\$$$$alg; \
\
if [ $$alg_executable != "NO" ]; then \
- $$alg_executable $$file >> ${MD5_FILE}; \
+ $$alg_executable $$file >> ${DISTINFO_FILE}; \
fi; \
done; \
if [ -z "${NO_SIZE}" ]; then \
- ${ECHO_CMD} "SIZE ($$file) = "`${LS} -ALln $$file | ${AWK} '{print $$5}'` >> ${MD5_FILE}; \
+ ${ECHO_CMD} "SIZE ($$file) = "`${LS} -ALln $$file | ${AWK} '{print $$5}'` >> ${DISTINFO_FILE}; \
fi; \
done \
)
@for file in ${_IGNOREFILES}; do \
for alg in ${CHECKSUM_ALGORITHMS:U}; do \
- ${ECHO_CMD} "$$alg ($$file) = IGNORE" >> ${MD5_FILE}; \
+ ${ECHO_CMD} "$$alg ($$file) = IGNORE" >> ${DISTINFO_FILE}; \
done; \
done
.endif
@@ -4887,11 +4887,14 @@
.if !target(checksum)
checksum: fetch check-checksum-algorithms
@${checksum_init} \
- if [ -f ${MD5_FILE} ]; then \
+ if [ -f ${DISTINFO_FILE} ]; then \
cd ${DISTDIR}; OK="";\
for file in ${_CKSUMFILES}; do \
ignored="true"; \
_file=$${file#${DIST_SUBDIR}/*}; \
+ if ${GREP} MD5 ${DISTINFO_FILE} > /dev/null; then \
+ ${ECHO_MSG} "=> Deprecated MD5 checksum found in ${DISTINFO_FILE}."; \
+ fi; \
for alg in ${CHECKSUM_ALGORITHMS:U}; do \
ignore="false"; \
eval alg_executable=\$$$$alg; \
@@ -4991,7 +4994,7 @@
\
if [ "$$OK" != "true" -a ${FETCH_REGET} -eq 0 ]; then \
${ECHO_MSG} "===> Giving up on fetching files: $$refetchlist"; \
- ${ECHO_MSG} "Make sure the Makefile and distinfo file (${MD5_FILE})"; \
+ ${ECHO_MSG} "Make sure the Makefile and distinfo file (${DISTINFO_FILE})"; \
${ECHO_MSG} "are up to date. If you are absolutely sure you want to override this"; \
${ECHO_MSG} "check, type \"make NO_CHECKSUM=yes [other args]\"."; \
exit 1; \
@@ -5000,7 +5003,7 @@
exit 1; \
fi; \
elif [ -n "${_CKSUMFILES:M*}" ]; then \
- ${ECHO_MSG} "=> No checksum file (${MD5_FILE})."; \
+ ${ECHO_MSG} "=> No checksum file (${DISTINFO_FILE})."; \
fi
.endif
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008142313.o7ENDZJJ036003>