On Thu, Jan 26, 2006 at 12:28:22PM +1100, Peter Jeremy wrote: > On Wed, 2006-Jan-25 18:38:40 -0500, Kris Kennaway wrote: > >AFAIK duplicate checksums are OK - they are useful if e.g. mirrors > >have different versions of the distfile that are functionally > >identical. Duplicate SIZE causes errors though (arguably a bug). > > Different, but functionally identical, versions of a distfile are > highly likely to also have different sizes. If you're going to allow > different checksums, you need to allow for different sizes as well.
Yeah, currently you'd have to drop the size checking (which is mostly
just an optimization to avoid downloading changed/corrupted versions).
> Doing this without opening potential security holes means changing the
> distfiles entries to be tuples of {filename,size,md5,shd-256} (where
> anything except the filename is optional). A downloaded file would
> have to completely match one of the tuples for it to be acceptable.
>
> How many cases are there where there are multiple, equivalent,
> versions of distfiles on the net?
A distfile somewhere in the ports collection changes checksum about
once a week or so. I don't have data on how often the above situation
(different versions on different sites) occurs, but it must occur
occasionally when the software mirror sites are not quick to update.
Kris
pgpAIpuIMaFdt.pgp
Description: PGP signature
