security/libgcrypt checksum mismatch

RW rwmaillists at googlemail.com
Sat May 11 21:15:10 UTC 2013 

On Sat, 11 May 2013 17:39:52 +0200
Michael Gmelin wrote:



> Besides the fact that ISPs really shouldn't interfere with your HTTP
> traffic in that way (terrible!), preferring FTP sounds like a bad
> idea, since it's a lot more complicated protocol and therefore more
> likely to fail in limited network setups. There are a couple of
> possible solutions, some more useful than others.

I doubt it makes much difference, fetch can request ftp urls through
an http proxy which eliminates a lot of the potential problems, and
even in the worst case FreeBSD will fall through to an HTTP link.

> 1. Avoid ISPs that break your traffic.
>    Caveat: Sometimes you have no choice.
> 2. Use HTTPS whenever possible, so that certificate checking can take
>    place and stop you from downloading broken files in the first
> place. (there's a patch to fetch I'm working on with des that will
>    hopefully make it to base soon).
>    Caveat: Not every project provides an SSL enabled source, lots of
>    ports need to be adapted, never near 100%.

On the whole caching is a good thing. HTTPS sounds more trouble than
it's worth to me. 


> 3. Modify the ports framework, so you can set an environment/config
>    variable like PREFER_HTTP or PREFER_FTP.
>    Caveat: It's work and not *that* useful.

You can already do this with:

MASTER_SORT_REGEX?= ^ftp:

I used to do it the other way around because my ISP preferred cached
HTTP in their traffic shaping.

> 4. Modify the ports framework, so it tries the next download location
>    in case there is a file size or checksum mismatch.
>    Caveat: Requires effort.
> 
> IMHO implementing 4 would make a lot sense to compensate for broken
> mirrors.

FWIW I fetch files like this:


  for porg in `pkg version -Iol'<' |awk '{ print $1 }'`  ; do
      echo "Checking - ${porg}"
      cd  /usr/ports/${porg} 
      make checksum || (
         export RANDOMIZE_MASTER_SITES=yes 
         make distclean
         make checksum
     ) 
  done

I do it that way because it avoids a lot of problems with rerolled
files, but it would help with this problem too.

More information about the freebsd-ports mailing list