distfile fetching vs ISP "site-help" spoofing: any suggestions?
areilly at bigpond.net.au
Tue Jun 18 07:07:30 UTC 2013
I've just tried to portupgrade after a three-month hiatus and noticed a problem with the libgcrypt distfile
checksum that didn't go away after my usual strategy of waiting for a couple of days,
re-syncing the ports tree and trying again. Closer inspection and a hint from a google search
revealed that the first-level problem is that the wrong file had been fetched: it was a short
HTML file, rather than the expected tar.bz2 file. How did that happen? Apparently my ISP
(Bigpond, in Australia) has recently turned on a "site-helper" mechanism that spoofs any site
for which a DNS-lookup fails. That is, there are now no "missing" or expired sites. In this
case, the first item in the ports/Mk/bsd.sites.mk list used by the security/libgcrypt Makefile
is gnupg.org.favoritelinks.net which does not (any longer?) resolve.
I've arranged to proceed by deleting the line in bsd.sites.mk, which allowed the fetch to
succeed. This seems a bit lame though, because perhaps that site will come back one day.
Seems like a fragile, non-scaling approach.
It might be possible to subvert my ISP's evil helpfulness by pointing my DNS requests further
upstream, but that might prevent the government from blocking my access to things it considers
distasteful, and I'm not sure I want to go there just yet.
Anyone have any suggestions or best practices?
Should I try to raise a PR against bsd.sites.mk or security/libgcrypt?
More information about the freebsd-ports