Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Apr 2013 07:49:20 -0400
From:      Lowell Gilbert <freebsd-ports-local@be-well.ilk.org>
To:        freebsd-ports@freebsd.org
Subject:   Re: FTP packages missing CHECKSUM.MD5
Message-ID:  <44ehegarzz.fsf@lowell-desk.lan>
In-Reply-To: <CAD2Ti28GKA1QGOyGwdz5OxJCG1zC8w4=WzOL1cp%2Bqbr7YjxkUQ@mail.gmail.com> (grarpamp@gmail.com's message of "Thu, 11 Apr 2013 14:15:50 -0400")
References:  <CAD2Ti28GKA1QGOyGwdz5OxJCG1zC8w4=WzOL1cp%2Bqbr7YjxkUQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
grarpamp <grarpamp@gmail.com> writes:

> Noticed that at least ports/i386/packages-9-stable is missing
> its CHECKSUM.MD5 file.
>
> Of course people shouldn't use it for what they think it's for,
> because it's not signed and uses a broken hash function.
> Hopefully that will be updated to signed sha1/256/3 before long.

It was intended as a defense against accidental file corruption, not
malicious file corruption. For a variety of reasons, this is much less
of a problem that it used to be, but I wouldn't assume that it's
irrelevant to everyone.

Secure checksums for protection against malicious modifications is a
different problem, and should be handled with more-automatic means, much
as portsnap does.

> However it does make for a good 'TIMESTAMP' file to detect when
> new packages appear. Ftp's internal or external 'ls -tT' can't be counted
> on for this across mirrors because such options to ls are mirror dependant.
> And there's no simple way to locally sort the ftp list output by date
> without rigging in perl, etc. And an overwrite of the same file may not
> stamp the parent directory, which also doesn't appear reliably '.' while
> in the current directory.
>
> In short, I'd suggest making a formal TIMESTAMP file for when package
> updates are pushed out so people can key off that instead.

Pretty easy and cheap. Makes sense as well.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44ehegarzz.fsf>