Subject: Re: DIGEST_ALGORITHMS (was Re: CVS commit: pkgsrc/mk)
To: Jeremy C. Reed <reed@reedmedia.net>
From: Alistair Crooks <agc@pkgsrc.org>
List: tech-pkg
Date: 02/23/2005 12:20:55
On Tue, Feb 22, 2005 at 01:11:30PM -0800, Jeremy C. Reed wrote:
> On Tue, 22 Feb 2005, Alistair G. Crooks wrote:
>
> > Patchfiles will still use simply SHA1, since we are trying to detect a
> > binary "has this file changed", rather than proect against tampering.
> > In short, if someone can modify the patch file, they can modify the
> > distinfo file holding its digest information. This value is set in the
> > new PATCH_DIGEST_ALGORITHM definition.
>
> I didn't look to closely, but is PATCH_DIGEST_ALGORITHM or
> DIGEST_ALGORITHMS used for PATCHFILES? (I think your new multiple
> DIGEST_ALGORITHMS should be used for remotely retrieved PATCHFILES.)
Use the source, umm, Jeremy...
[12:18:14] agc@sys3 ...pkgsrc/net/rdesktop 26 > cat distinfo
$NetBSD: distinfo,v 1.11 2005/02/15 20:20:06 xtraeme Exp $
SHA1 (rdesktop-1.3.1.tar.gz) = d80e7c3afb671c77e4d8a6a74b33c3d6256675ce
Size (rdesktop-1.3.1.tar.gz) = 139686 bytes
SHA1 (rdesktop.patch) = 2ac6ed5c855f010d40daf46a18020a65ea6373d1
Size (rdesktop.patch) = 2348 bytes
SHA1 (patch-aa) = 1a28125cfc8cb58ba67c2c10209d0eca4681404e
SHA1 (patch-ab) = 2a86d850d0b3ee5e14ae6818c3ea492af558f22e
[12:18:18] agc@sys3 ...pkgsrc/net/rdesktop 27 > make mdi
=> distinfo: patches part unchanged.
===> do-fetch [rdesktop-1.3.1nb3] ===> Checking for vulnerabilities in rdesktop-1.3.1nb3
[12:18:28] agc@sys3 ...pkgsrc/net/rdesktop 28 > l
total 24
drwxr-xr-x 4 agc agc 512 Feb 23 12:18 .
drwxr-xr-x 429 agc agc 9728 Feb 22 22:05 ..
drwxr-xr-x 2 agc agc 512 Feb 22 22:04 CVS
-rw-r--r-- 1 agc agc 111 Nov 20 2003 DESCR
-rw-r--r-- 1 agc agc 897 Feb 22 22:02 Makefile
-rw-r--r-- 1 agc agc 985 Nov 20 2003 PLIST
-rw-r--r-- 1 agc agc 535 Feb 23 12:18 distinfo
drwxr-xr-x 3 agc agc 512 Feb 22 22:02 patches
[12:18:29] agc@sys3 ...pkgsrc/net/rdesktop 29 > cat distinfo
$NetBSD: distinfo,v 1.11 2005/02/15 20:20:06 xtraeme Exp $
SHA1 (rdesktop-1.3.1.tar.gz) = d80e7c3afb671c77e4d8a6a74b33c3d6256675ce
RMD160 (rdesktop-1.3.1.tar.gz) = 8af984cd883f3c7587a30b09e350129ed8ebbefa
Size (rdesktop-1.3.1.tar.gz) = 139686 bytes
SHA1 (rdesktop.patch) = 2ac6ed5c855f010d40daf46a18020a65ea6373d1
RMD160 (rdesktop.patch) = 8fb6c32ba27bc62db5ea30de028bb040ccc8af0b
Size (rdesktop.patch) = 2348 bytes
SHA1 (patch-aa) = 1a28125cfc8cb58ba67c2c10209d0eca4681404e
SHA1 (patch-ab) = 2a86d850d0b3ee5e14ae6818c3ea492af558f22e
[12:18:31] agc@sys3 ...pkgsrc/net/rdesktop 30 >
Regards,
Alistair