Tobez: no disrespect intended, obviously you saw a problem with the master sites for perl 5.8.7 and did what you could to help, and with your position as a maintainer, I know that the trust we have in you and your patches is well earned, so don't take this question as anything but my well-earned paranoia rearing its ugly head: Yes, building perl5.8.7 did seem like it had a lot of problems with the master_sites which is why I went to the freebsd ports cvs tree and looked to see if they fixed it, however, I believe it would be prudent for me to ask: How safe is this your site? And, yes, in some of my build scripts I pull the distfiles from our local system due to some issues with some of the sites, however, how safe is tobez.org from hacking? (ok, so, how safe is OUR site from hacking) or anyone's for that matter, so please don't take this as a challenge. I have enough to do not to have to go rebuilding our servers. (from new Makefile for perl5.8) MASTER_SITES= ${MASTER_SITE_PERL_CPAN} \ ${MASTER_SITE_LOCAL:S/$/:local/} \ http://www.tobez.org/download/port-mirrors/lang/perl58/:local MASTER_SITE_SUBDIR= ../../src \ tobez/:local ./:local
Michael Scheidell wrote:> How safe is this your site?This doesn't matter (much), since the ports code checks MD5 hashes before trusting a downloaded distfile. Colin Percival
Ok, yes, there is that... Thanks.> -----Original Message----- > From: Colin Percival [mailto:cperciva@freebsd.org] > Sent: Wednesday, June 29, 2005 5:41 PM > To: Michael Scheidell > Cc: freebsd-security@freebsd.org > Subject: Re: Perl master site changed to tobez.org? > > Michael Scheidell wrote: > > How safe is this your site? > > This doesn't matter (much), since the ports code checks MD5 > hashes before trusting a downloaded distfile. > > Colin Percival > > >
Michael, Sorry I did not reply earlier, I was on vacation. On Wed, Jun 29, 2005 at 05:37:16PM -0400, Michael Scheidell wrote:> Tobez: no disrespect intended, obviously you saw a problem with the > master sites for perl 5.8.7 and did what you could to help, and with > your position as a maintainer, I know that the trust we have in you and > your patches is well earned, so don't take this question as anything but > my well-earned paranoia rearing its ugly head: > > Yes, building perl5.8.7 did seem like it had a lot of problems with the > master_sites which is why I went to the freebsd ports cvs tree and > looked to see if they fixed it, however, I believe it would be prudent > for me to ask: > > How safe is this your site? > And, yes, in some of my build scripts I pull the distfiles from our > local system due to some issues with some of the sites, however, how > safe is tobez.org from hacking? > (ok, so, how safe is OUR site from hacking) or anyone's for that matter, > so please don't take this as a challenge. I have enough to do not to > have to go rebuilding our servers.I think you are missing several things here: 1. The ":local" suffix there represents an example of the use of the existing support for master site groups. In particular, only BSDPAN and the defined-or patch can in principle be stored there, not the perl tarball itself. 2. Unless you use master sites randomization, tobez.org will be the last place to go for the files in question. 3. Most importantly, if you do not trust existing md5 and size ditsinfo checks, you should not probably use the ports collection at all. I hope this addresses your concerns, Cheers, \Anton. -- The moronity of the universe is a monotonically increasing function. -- Jarkko Hietaniemi