On 04/07/2015 Jason Marshall wrote:
I execute .bootstrap, but I note the following: When the missing
tarballs and external sources are downloaded, the script seems to
identify that for some of these, the checksum does not match that
expected.  Could anyone tell me why this would occur and if this is
an issue from a security standpoint?  I. e. is it possible that what
is being downloaded by .bootstrap is unsafe?  Also, is it okay to
simply progress to the build anyway?

Since this just happened to me again, I decided to write into
https://bz.apache.org/ooo/show_bug.cgi?id=126469
all the technical details I sent here long ago.

If you want to play with that, this is another fix that would be nice to have in 4.1.2 even if it only improves our build speed and has no visible impact on users. I quickly investigated it several months ago, so if you need more information just ask, but the above contains all technical explanations: in short, the Perl code that downloads the archive actually downloads a decompressed version. The solution would be to enforce that compression is respected.

As for your other questions, each download is attempted twice from two different sources, see the many URL1 and URL2 in http://svn.apache.org/viewvc/openoffice/trunk/main/external_deps.lst?view=markup ; so when the first one fails, it is discarded, download proceeds with the second URL and there we don't have the problem. The ./bootstrap phase will fail if both servers fails, but the second one plays in the right way with our Perl script so it never happens that the whole process fails. Archives that do not have the expected checksum are deleted so the output of ./bootstrap is always safe, but it takes more attempts than necessary due to the above bug.

Regards,
  Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Reply via email to