On 04/07/2015 Jason Marshall wrote:
I execute .bootstrap, but I note the following: When the missing
tarballs and external sources are downloaded, the script seems to
identify that for some of these, the checksum does not match that
expected. Could anyone tell me why this would occur and if this is
an issue from a security standpoint? I. e. is it possible that what
is being downloaded by .bootstrap is unsafe? Also, is it okay to
simply progress to the build anyway?
Since this just happened to me again, I decided to write into
https://bz.apache.org/ooo/show_bug.cgi?id=126469
all the technical details I sent here long ago.
If you want to play with that, this is another fix that would be nice to
have in 4.1.2 even if it only improves our build speed and has no
visible impact on users. I quickly investigated it several months ago,
so if you need more information just ask, but the above contains all
technical explanations: in short, the Perl code that downloads the
archive actually downloads a decompressed version. The solution would be
to enforce that compression is respected.
As for your other questions, each download is attempted twice from two
different sources, see the many URL1 and URL2 in
http://svn.apache.org/viewvc/openoffice/trunk/main/external_deps.lst?view=markup
; so when the first one fails, it is discarded, download proceeds with
the second URL and there we don't have the problem. The ./bootstrap
phase will fail if both servers fails, but the second one plays in the
right way with our Perl script so it never happens that the whole
process fails. Archives that do not have the expected checksum are
deleted so the output of ./bootstrap is always safe, but it takes more
attempts than necessary due to the above bug.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
