security/libgcrypt checksum mismatch
RW
rwmaillists at googlemail.com
Sat May 11 21:15:10 UTC 2013
On Sat, 11 May 2013 17:39:52 +0200
Michael Gmelin wrote:
> Besides the fact that ISPs really shouldn't interfere with your HTTP
> traffic in that way (terrible!), preferring FTP sounds like a bad
> idea, since it's a lot more complicated protocol and therefore more
> likely to fail in limited network setups. There are a couple of
> possible solutions, some more useful than others.
I doubt it makes much difference, fetch can request ftp urls through
an http proxy which eliminates a lot of the potential problems, and
even in the worst case FreeBSD will fall through to an HTTP link.
> 1. Avoid ISPs that break your traffic.
> Caveat: Sometimes you have no choice.
> 2. Use HTTPS whenever possible, so that certificate checking can take
> place and stop you from downloading broken files in the first
> place. (there's a patch to fetch I'm working on with des that will
> hopefully make it to base soon).
> Caveat: Not every project provides an SSL enabled source, lots of
> ports need to be adapted, never near 100%.
On the whole caching is a good thing. HTTPS sounds more trouble than
it's worth to me.
> 3. Modify the ports framework, so you can set an environment/config
> variable like PREFER_HTTP or PREFER_FTP.
> Caveat: It's work and not *that* useful.
You can already do this with:
MASTER_SORT_REGEX?= ^ftp:
I used to do it the other way around because my ISP preferred cached
HTTP in their traffic shaping.
> 4. Modify the ports framework, so it tries the next download location
> in case there is a file size or checksum mismatch.
> Caveat: Requires effort.
>
> IMHO implementing 4 would make a lot sense to compensate for broken
> mirrors.
FWIW I fetch files like this:
for porg in `pkg version -Iol'<' |awk '{ print $1 }'` ; do
echo "Checking - ${porg}"
cd /usr/ports/${porg}
make checksum || (
export RANDOMIZE_MASTER_SITES=yes
make distclean
make checksum
)
done
I do it that way because it avoids a lot of problems with rerolled
files, but it would help with this problem too.
More information about the freebsd-ports
mailing list