Request to review: print/texlive-install
Jason Helfman
jhelfman at e-e.com
Mon May 28 16:37:52 UTC 2012
> On 05/27/2012 09:19 PM, Eitan Adler wrote:
>> On 27 May 2012 18:14, Stephen Montgomery-Smith<stephen at missouri.edu>
>> wrote:
>>> There are a number of issues. In particular there is no checksum
>>> calculated
>>> for install-tl-unx.tar.gz because I suspect that it changes very often.
>>
>> This is a security risk and must not be committed as is.
>
> How about if I add lines like this:
>
> .if !defined(IGNORE_SECURITY_RISK)
> IGNORE= has a security risk because it downloads a file \
> without a checksum. Define IGNORE_SECURITY_RISK to build this port
> .endif
>
> Would it be considered OK to commit it then?
Does the code look for a particular location for this file to exist before
attempting to download it? If not, can it be patched, to do so?
If so, it can be added as a distfile, and put into a location where the
build will find it.
If this can be done, there wouldn't be a security risk, assuming no other
files are downloaded post-fetch.
-jgh
More information about the freebsd-ports
mailing list