do-fetch.mk never actually verifies the sha256 checksum

Reply: Ronald Klop : "Re: do-fetch.mk never actually verifies the sha256 checksum"
Reply: Christoph Moench-Tegeder : "Re: do-fetch.mk never actually verifies the sha256 checksum"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: John Marino (FreeBSD) <freebsd_at_marino.st>
Date: Fri, 16 May 2025 14:17:32 UTC

For each distribution file listed in a port's distinfo file, the file's
size and SHA256 hash is provided.  However, after a distribution file
candidate is downloaded, only the file's size is verified to match the
requirements.  The downloaded file is never hashed to verify it matches the
required checksum.

basic logic per file:
1. Verify an SHA256 list for the file is present in the distinfo file.
2. Attempt fetch requiring file size listed in distinfo (size requirement
may be ignored)
3. Upon successful download, verify downloaded file size matches
requirement.
4. If file size matches => success (otherwise try backup sites or FAIL)

I assume the original intent was to first check file size, and then
calculate the SHA256 sum of the downloaded file and compare that to the
distinfo requirements.

So currently it's possible to successfully fetch a distribution file that
has the same size but a different checksum than the file specified in
distinfo.

To interate -- the do-fetch.mk requires distinfo to provide an SHA256
checksum, but it doesn't do anything with it.