On Tue, Feb 17, 2004 at 02:20:46PM +0100, Michael Nottebrock wrote:
[distfile rerolls]> I didn't know that I was supposed to perform a security audit and I did
not do
> so. So if anyone happens to have the old distfile still around, please send
> it my way, cause I don't. I suggest next time instead of marking a port
as
> BROKEN= Checksum mismatch, mark it as BROKEN= Needs security audit so I
won't
> be tempted to fix it.
Distfile caches are great for this sort of thing. While updating a
checksum for a distfile wipes out many pre-reroll copies on many FreeBSD
mirrors, there are often copies available on FreeBSD machines that
haven't built the port since the checksum was updated or NetBSD
and/or OpenBSD distfile caches and sometimes even Linux distfile
caches, particularly Gentoo.
I use alltheweb.com, filesearching.com, filewatcher.com (which have FTP
search engines), Google Groups, and Google to search for the MD5 hashes
and the names of distfiles I want to track down. filesearching.com
can display file sizes in bytes and filewatcher.com embeds the byte counts
in some URLs it generates, making it easy to discern which distfiles are
(hopefully) identical.
For tmake-1.7.tar.gz, filesearching.com currently reports 30 FTP sites
which have copies of 46518 bytes in length, for example. At least a
few of these sites should still have the pre-reroll distfile.
Beyond that, I've used pavuk running multiple simultaneous connections
and fetch with -S to scour the 100+ distfile caches from the FTP mirror
sites listed in the FreeBSD Handbook.
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris@widomaker.com | web: http://keyserver.kjsl.com/~jharris/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040217/0ff1b590/attachment.bin