From nobody Fri May 16 14:17:32 2025 X-Original-To: freebsd-ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZzTgd5b8Nz5vnYn for ; Fri, 16 May 2025 14:17:49 +0000 (UTC) (envelope-from john@marino.st) Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZzTgc5yv5z3Dby for ; Fri, 16 May 2025 14:17:48 +0000 (UTC) (envelope-from john@marino.st) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=marino-st.20230601.gappssmtp.com header.s=20230601 header.b=VKPmSTSa; spf=pass (mx1.freebsd.org: domain of john@marino.st designates 2607:f8b0:4864:20::f2b as permitted sender) smtp.mailfrom=john@marino.st; dmarc=none Received: by mail-qv1-xf2b.google.com with SMTP id 6a1803df08f44-6f5499c21bbso35551246d6.3 for ; Fri, 16 May 2025 07:17:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marino-st.20230601.gappssmtp.com; s=20230601; t=1747405067; x=1748009867; darn=freebsd.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=jCRJ7bW1j/vTqysh2n/ZhGfZIepohEO1p9mhN34nHIk=; b=VKPmSTSaMKQMXBQuHC4KUCo2bCNbU9buPIQJDIN4togyIvywWYBvJJj1ngIyyeWwKB jFa/K0p1hMOk04cPC40yLfkhE/iQ8ybR76wkW+G9w/IuZDa7Sow6BkhI2bKb6bnSeQl7 74jlOoFH8xFH5A98KMXoUZ2kiQPXENwc4GoBoXCHoNitOLF/tM504sn5vJ+J+AglOVnw mlWgHrtmmhRtlmYjmDPoTTfpEqDOpnborT3yFIZB84jW26rUlXd/VQ+QhGXiXJw9tvOz upUYlVZyoIqjs1/Q5XE1jcS0AwY3chEsTYRIsduaxZ19k015jVmiBA2rKND6LmsqukEV hcqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747405067; x=1748009867; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=jCRJ7bW1j/vTqysh2n/ZhGfZIepohEO1p9mhN34nHIk=; b=fHDAxNwUfHYaMgs9GeC6ENZsflEhjeiM3cCMAeqNW5DI7AhCf4WZQ7qsDTG3B+0EYO q6nxxiv9c70dM2ZNNmtTr5WZ9c+fIesJfjz/rL5W7ugTM1+rJadyXFeDc5G1wcbt0x0g d/SnFI2qWyCxtzdxkzF2yUrDJfViiqfnzDauQUwgAGD9rCYgCD974K53HMaZ4G6V3vfH 9O7U/agxIDhJKZZc1nCgLENZ7hVLI1oI/eYeaxkgp+R+MoZIa8w9Dx7Zry0OF7Tb4vZA J2pX2RdQmp5RvJAhgLwKIeJjtUpSt5cmstrrHTXeoahLiv5O+uabmwMjeRQw/2w+xZW+ u02Q== X-Gm-Message-State: AOJu0YxKEzH65Y1W99vX4T3GfRnC8mR2NzFDVCN/9+eMisrnSuHf0yev uKO+2hjz+uxFxrfQJgnVudSzbXMQ8uuHPzbr11Intcy7Uu0AH14rub2wA5uDdpCSXnluf/HPS8j I8d2n6PmNOCMOpvDXzJL7BJzza1B1bYoO9RTLGn784AwXMEIk9v8l67I= X-Gm-Gg: ASbGncvGvy4zaB2YKloGyGwrUuIG7aLSXLL+O5oosbpbBNbxT9pQ4Ijf/JxILflH4wZ 0aZAw7hp73/qfTYQ6AZxJBaZsqC3yD5LGXXoMJMx4ECNG/+XOr6K1K2KhhYLh790PZqyFnCbnsT flCylQ8Iy7ofiXDnOu+Rfc+Tz5a3g741t6Jmc= X-Google-Smtp-Source: AGHT+IHGf+LjgWUhxzIbxsGYzQwNaG/akXejOuYX1GifUCFZ/9foAaXUEEtj7CtpCrC8/DW1k8D2WLJbZZmhd5hXBV4= X-Received: by 2002:a05:6214:230c:b0:6f4:c8cd:abcc with SMTP id 6a1803df08f44-6f8b2b4c46fmr47064536d6.0.1747405067149; Fri, 16 May 2025 07:17:47 -0700 (PDT) List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-ports@freebsd.org Sender: owner-freebsd-ports@FreeBSD.org MIME-Version: 1.0 From: "John Marino (FreeBSD)" Date: Fri, 16 May 2025 09:17:32 -0500 X-Gm-Features: AX0GCFts5sIYe4TV3VdoHHRH0ZVQLKRQFYtf7utaqzJujFnTkfvJtdYwpyqcW2c Message-ID: Subject: do-fetch.mk never actually verifies the sha256 checksum To: freebsd-ports@freebsd.org Content-Type: multipart/alternative; boundary="0000000000004e7b8b06354172f6" X-Rspamd-Queue-Id: 4ZzTgc5yv5z3Dby X-Spamd-Bar: - X-Spamd-Result: default: False [-1.43 / 15.00]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_LONG(-0.99)[-0.987]; NEURAL_SPAM_MEDIUM(0.76)[0.760]; FORGED_SENDER(0.30)[freebsd@marino.st,john@marino.st]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[marino-st.20230601.gappssmtp.com:s=20230601]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MISSING_XM_UA(0.00)[]; DMARC_NA(0.00)[marino.st]; ARC_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-ports@freebsd.org]; FROM_NEQ_ENVFROM(0.00)[freebsd@marino.st,john@marino.st]; FROM_HAS_DN(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::f2b:from]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ports@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; DKIM_TRACE(0.00)[marino-st.20230601.gappssmtp.com:+] --0000000000004e7b8b06354172f6 Content-Type: text/plain; charset="UTF-8" For each distribution file listed in a port's distinfo file, the file's size and SHA256 hash is provided. However, after a distribution file candidate is downloaded, only the file's size is verified to match the requirements. The downloaded file is never hashed to verify it matches the required checksum. basic logic per file: 1. Verify an SHA256 list for the file is present in the distinfo file. 2. Attempt fetch requiring file size listed in distinfo (size requirement may be ignored) 3. Upon successful download, verify downloaded file size matches requirement. 4. If file size matches => success (otherwise try backup sites or FAIL) I assume the original intent was to first check file size, and then calculate the SHA256 sum of the downloaded file and compare that to the distinfo requirements. So currently it's possible to successfully fetch a distribution file that has the same size but a different checksum than the file specified in distinfo. To interate -- the do-fetch.mk requires distinfo to provide an SHA256 checksum, but it doesn't do anything with it. --0000000000004e7b8b06354172f6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
For each distribution file listed in a port's distinfo= file, the file's size and SHA256 hash is provided.=C2=A0 However, afte= r a distribution file candidate is downloaded, only the file's size is = verified to match the requirements.=C2=A0 The downloaded file is never hash= ed to verify it matches the required checksum.

basic logic per file:=
1. Verify an SHA256 list for the file is present in the distinfo file.<= br>2. Attempt fetch requiring file size listed in distinfo (size requiremen= t may be ignored)
3. Upon successful download, verify downloaded file si= ze matches requirement.
4. If file size matches =3D> success (otherwi= se try backup sites or FAIL)

I assume the original intent was to fir= st check file size, and then calculate the SHA256 sum of the downloaded fil= e and compare that to the distinfo requirements.

So currently it'= ;s possible to successfully fetch a distribution file that has the same siz= e but a different checksum than the file specified in distinfo.

To i= nterate -- the do-fetch.mk requires dist= info to provide an SHA256 checksum, but it doesn't do anything with it.=
--0000000000004e7b8b06354172f6--