Date: Tue, 17 Feb 2004 15:10:07 -0500 From: Jason Harris <jharris@widomaker.com> To: Michael Nottebrock <michaelnottebrock@gmx.net> Cc: freebsd-security@FreeBSD.org Subject: Re: cvs commit: ports/devel/tmake Makefile distinfo Message-ID: <20040217201007.GK360@pm1.ric-05.lft.widomaker.com> In-Reply-To: <200402171420.47274.michaelnottebrock@gmx.net> References: <200402091336.i19Da8nQ019809@repoman.freebsd.org> <200402171404.30701.michaelnottebrock@gmx.net> <xzpr7wtn98t.fsf@dwp.des.no> <200402171420.47274.michaelnottebrock@gmx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Rm5rkB9L8kG9H2n8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 17, 2004 at 02:20:46PM +0100, Michael Nottebrock wrote: [distfile rerolls] > I didn't know that I was supposed to perform a security audit and I did n= ot do=20 > so. So if anyone happens to have the old distfile still around, please se= nd=20 > it my way, cause I don't. I suggest next time instead of marking a port a= s=20 > BROKEN=3D Checksum mismatch, mark it as BROKEN=3D Needs security audit so= I won't=20 > be tempted to fix it. Distfile caches are great for this sort of thing. While updating a checksum for a distfile wipes out many pre-reroll copies on many FreeBSD mirrors, there are often copies available on FreeBSD machines that haven't built the port since the checksum was updated or NetBSD and/or OpenBSD distfile caches and sometimes even Linux distfile caches, particularly Gentoo. I use alltheweb.com, filesearching.com, filewatcher.com (which have FTP search engines), Google Groups, and Google to search for the MD5 hashes and the names of distfiles I want to track down. filesearching.com can display file sizes in bytes and filewatcher.com embeds the byte counts in some URLs it generates, making it easy to discern which distfiles are (hopefully) identical. For tmake-1.7.tar.gz, filesearching.com currently reports 30 FTP sites which have copies of 46518 bytes in length, for example. At least a few of these sites should still have the pre-reroll distfile. Beyond that, I've used pavuk running multiple simultaneous connections and fetch with -S to scour the 100+ distfile caches from the FTP mirror sites listed in the FreeBSD Handbook. --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://keyserver.kjsl.com/~jharris/ --Rm5rkB9L8kG9H2n8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAMnUeSypIl9OdoOMRAkp/AKDUYtsTKpN+J4FXAR1V6LDDmQd1UgCgrjdX KQVuMOe1U9clWc2M5fFmCPg= =wh1u -----END PGP SIGNATURE----- --Rm5rkB9L8kG9H2n8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040217201007.GK360>