| 1 |
Duncan wrote: |
| 2 |
> Mike Williams <mike@××××××××.uk> posted |
| 3 |
> 200607311656.36538.mike@××××××××.uk, excerpted below, on Mon, 31 Jul 2006 |
| 4 |
> 16:56:35 +0100: |
| 5 |
> |
| 6 |
>> On Monday 31 July 2006 16:47, Atoms wrote: |
| 7 |
>>>>> Nope. Works fine here. |
| 8 |
>>>> Okay, next question is, how do I clean portage up (sanely) to allow a |
| 9 |
>>>> re-download of the ebuild? |
| 10 |
>>> just do `ebuild |
| 11 |
>>> /usr/portage/www-client/mozilla-firefox/mozilla-firefox-1.5.0.5.ebuild |
| 12 |
>>> digest` and then emerge |
| 13 |
>> Err, no! |
| 14 |
>> The size didn't match for a reason. |
| 15 |
>> |
| 16 |
>> Delete the ebuild, and sync again. From a different mirror if possible. |
| 17 |
> |
| 18 |
> My reaction too -- don't just blindly digest and emerge unless you are |
| 19 |
> quite sure it's safe to do so (a dev explains it or you check viewcvs and |
| 20 |
> verify that the one there is the same, plus verify that the ebuild isn't |
| 21 |
> doing anything weird like retrieving "special" source |
| 22 |
> from warez.and.crakz.r.us or the like). |
| 23 |
> |
| 24 |
> THE WARNING ABOVE, INCORRECT SIZE OR OTHER FAILURE TO VERIFY, COULD |
| 25 |
> INDICATE A SECURITY ISSUE. SIMPLY REDIGESTING THE FAILED PACKAGE BYPASSES |
| 26 |
> THE CHECKS AND COULD LEAVE YOUR GENTOO MACHINE CRACKED WIDE OPEN AND NO |
| 27 |
> LONGER UNDER YOUR CONTROL!! |
| 28 |
> |
| 29 |
> I apologize for shouting, but your computer's security may depend on it. |
| 30 |
> Don't do something stupid! |
| 31 |
> |
| 32 |
> In actuality, it's much more likely simply broken or even an entirely |
| 33 |
> harmless difference like a missing newline or the like. However, you |
| 34 |
> can't KNOW that, and with various server in the FLOSS community having |
| 35 |
> already been found compromised, we know the crackers are trying, and it's |
| 36 |
> not out of the realm of possibility that a Gentoo server could be |
| 37 |
> compromised at some point. Thus, don't do something you might regret. |
| 38 |
> Either hand verify the ebuild if you know how to, or wait a few hours to a |
| 39 |
> day or two and the problem will probably have been resolved (or better, |
| 40 |
> file a bug and report it, asking if it's legit). |
| 41 |
> |
| 42 |
|
| 43 |
Since I'm not as up to speed as I really want to be on manipulating |
| 44 |
ebuilds and portage, I simply deleted the ebuild and re-sync'd, this one |
| 45 |
came down fine and is compiling now. I thought about a bug report, but |
| 46 |
I felt that to be too extreme a measure if I was the only person seeing |
| 47 |
the problem. However, the information on the possible security issues |
| 48 |
is quite appreciated, that method of infiltration never occurred to me, |
| 49 |
so I will be even more careful from now on with this. |
| 50 |
|
| 51 |
|
| 52 |
|
| 53 |
|
| 54 |
-- |
| 55 |
Fere libenter homines id quod volunt credunt. |
| 56 |
|
| 57 |
Mark Haney |
| 58 |
Sr. Systems Administrator |
| 59 |
ERC Broadband |
| 60 |
(828) 350-2415 |
| 61 |
-- |
| 62 |
gentoo-amd64@g.o mailing list |
Archives