security/libgcrypt checksum mismatch
Michael Gmelin
freebsd at grem.de
Sat May 11 15:40:02 UTC 2013
On Sat, 11 May 2013 14:59:46 +0100
"N.J. Mann" <njm at njm.me.uk> wrote:
> In message <20130511115228.GC94348 at titania.njm.me.uk>,
> N.J. Mann (njm at njm.me.uk) wrote:
> > In message <518E2913.5040402 at hayers.org>,
> > Gary J. Hayers (gary at hayers.org) wrote:
> > > I've been getting this with varying ports for some time now,
> > > sometimes I've had to manually fetch the distfiles.
> >
> > I am sorry to hear this, but glad I am not the only one. :-)
> >
> > The files I have had to manually fetch are:
> >
> > libgcrypt-1.5.2.tar.bz2
> > libassuan-2.0.3.tar.bz2
> > libassuan-2.0.3.tar.bz2.sig
> > libksba-1.3.0.tar.bz2
> > libksba-1.3.0.tar.bz2.sig
> > gnupg-2.0.19.tar.bz2
> > gnupg-2.0.19.tar.bz2.sig
> > gnupg-2.0.20.tar.bz2
> > gnupg-2.0.20.tar.bz2.sig
>
> I now know why I get HTML files when trying to fetch these distfiles.
> The common factor is that they all use HTTP rather FTP for fetching.
> For HTTP fetches my ISP (British Telecom, aka BT) will display a
> "helpful" 'sorry no one at home' web page when the fetch fails, and
> that is what I end up with in the distfile. Thankfully, this 'nice'
> feature can be disabled. Once disabled 'make fetch' does its job of
> trying the next site after the failure and the proper file(s) are
> downloaded.
>
> I do not know whether other ISPs do something similar, does anyone? I
> wonder whether FTP sites should be listed before HTTP ones?
>
>
> Cheers,
> Nick.
Hi Nick,
Besides the fact that ISPs really shouldn't interfere with your HTTP
traffic in that way (terrible!), preferring FTP sounds like a bad idea,
since it's a lot more complicated protocol and therefore more
likely to fail in limited network setups. There are a couple of
possible solutions, some more useful than others.
1. Avoid ISPs that break your traffic.
Caveat: Sometimes you have no choice.
2. Use HTTPS whenever possible, so that certificate checking can take
place and stop you from downloading broken files in the first place.
(there's a patch to fetch I'm working on with des that will
hopefully make it to base soon).
Caveat: Not every project provides an SSL enabled source, lots of
ports need to be adapted, never near 100%.
3. Modify the ports framework, so you can set an environment/config
variable like PREFER_HTTP or PREFER_FTP.
Caveat: It's work and not *that* useful.
4. Modify the ports framework, so it tries the next download location
in case there is a file size or checksum mismatch.
Caveat: Requires effort.
IMHO implementing 4 would make a lot sense to compensate for broken
mirrors.
In the meantime, as a workaround, you could set
HTTP_PROXY=127.0.0.1:12000
(or any other unused port on your system)
That way fetch fails on all HTTP sites and therefore effectively
uses FTP instead.
Cheers,
Michael
--
Michael Gmelin
More information about the freebsd-ports
mailing list