On 12/05/2013 08:11, Matthew Seaman wrote:
> On 11/05/2013 22:15, RW wrote:
>> FWIW I fetch files like this:
>>
>>
>> for porg in `pkg version -Iol'<' |awk '{ print $1 }'` ; do
>> echo "Checking - ${porg}"
>> cd /usr/ports/${porg}
>> make checksum || (
>> export RANDOMIZE_MASTER_SITES=yes
>> make distclean
>> make checksum
>> )
>> done
>>
>> I do it that way because it avoids a lot of problems with rerolled
>> files, but it would help with this problem too.
>
> I'm sorry, but this is a really bad idea and an irresponsible thing to
> advise anyone else to do. You're throwing away all the security
> benefits of using checksums, which are essentially that you can tell if
> anyone has tampered with the distfiles you intend to compile.
>
> If you don't understand why that matters, then try reading this:
>
> http://slashdot.org/comments.pl?sid=37188&cid=3991288
> http://www.mavetju.org/unix/openssh-trojan.php
Damn. I'm sorry. I misread your code. It's perfectly fine.
I apologise unreservedly for my earlier message.
Matthew
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
signature.asc
Description: OpenPGP digital signature
