Contributed by jose on from the md5-sha1-rmd160 dept.
As discussed in the Ports FAQ , one of the things the ports tree does is use cryptographic checksums to ensure that the right distfile has been fetched and its not corrupted, either by accident or by someone's malicious actions. This backdooring has been going on frequently in the past month or two and in each case the ports tree checksum mechanism has caught it. So, dont disregard these errors and don't run make NO_CHECKSUM=yes , which simply ignores this mismatch. Instead, you should run make checksum REFETCH=true which will fetch the distfile, known to be trusted, from the OpenBSD FTP mirrors. Use the built in integrity checking mechanisms when dealing with untrusted sources of software!
(Comments are closed)
By Anonymous Coward () on
Thx ppl!
By Skinny Puppy () on http://www.shitbomb.com
Using make checksum REFETCH=true could lead to the same problems, you are trusting whatever server is currently listed in DNS as ftp.openbsd.org.
The best way I could think of doing this correctly is with a public key that is used to sign all src/ports/snapshops/whatever. But then again that would be a major in the ass for developers
By Anonymous Coward () on