Request to review: print/texlive-install
Stephen Montgomery-Smith
stephen at missouri.edu
Mon May 28 17:06:48 UTC 2012
On 05/28/2012 11:29 AM, Jason Helfman wrote:
>> On 05/27/2012 09:19 PM, Eitan Adler wrote:
>>> On 27 May 2012 18:14, Stephen Montgomery-Smith<stephen at missouri.edu>
>>> wrote:
>>>> There are a number of issues. In particular there is no checksum
>>>> calculated
>>>> for install-tl-unx.tar.gz because I suspect that it changes very often.
>>>
>>> This is a security risk and must not be committed as is.
>>
>> How about if I add lines like this:
>>
>> .if !defined(IGNORE_SECURITY_RISK)
>> IGNORE= has a security risk because it downloads a file \
>> without a checksum. Define IGNORE_SECURITY_RISK to build this port
>> .endif
>>
>> Would it be considered OK to commit it then?
>
> Does the code look for a particular location for this file to exist before
> attempting to download it? If not, can it be patched, to do so?
>
> If so, it can be added as a distfile, and put into a location where the
> build will find it.
Yes, I can do this. But the file changes often, so one would have to
update distinfo in the ports very often to keep up.
> If this can be done, there wouldn't be a security risk, assuming no other
> files are downloaded post-fetch.
And the install script downloads everything during the "do-install" phase.
More information about the freebsd-ports
mailing list