FTP packages missing CHECKSUM.MD5

grarpamp grarpamp at gmail.com
Thu Apr 11 18:15:57 UTC 2013

Noticed that at least ports/i386/packages-9-stable is missing
its CHECKSUM.MD5 file.

Of course people shouldn't use it for what they think it's for,
because it's not signed and uses a broken hash function.
Hopefully that will be updated to signed sha1/256/3 before long.

However it does make for a good 'TIMESTAMP' file to detect when
new packages appear. Ftp's internal or external 'ls -tT' can't be counted
on for this across mirrors because such options to ls are mirror dependant.
And there's no simple way to locally sort the ftp list output by date
without rigging in perl, etc. And an overwrite of the same file may not
stamp the parent directory, which also doesn't appear reliably '.' while
in the current directory.

In short, I'd suggest making a formal TIMESTAMP file for when package
updates are pushed out so people can key off that instead.

More information about the freebsd-ports mailing list