Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-amd64

From: Duncan <1i5t5.duncan@×××.net>
To: gentoo-amd64@l.g.o
Subject: [gentoo-amd64] Re: [OT?] Firefox-1.5.0.5 ebuild file size
Date: Mon, 31 Jul 2006 17:09:47
Message-Id: eald65$v45$7@sea.gmane.org
In Reply to: Re: [gentoo-amd64] [OT?] Firefox-1.5.0.5 ebuild file size by Mike Williams
1 Mike Williams <mike@××××××××.uk> posted
2 200607311656.36538.mike@××××××××.uk, excerpted below, on Mon, 31 Jul 2006
3 16:56:35 +0100:
4
5 > On Monday 31 July 2006 16:47, Atoms wrote:
6 >> >> Nope. Works fine here.
7 >> >
8 >> > Okay, next question is, how do I clean portage up (sanely) to allow a
9 >> > re-download of the ebuild?
10 >>
11 >> just do `ebuild
12 >> /usr/portage/www-client/mozilla-firefox/mozilla-firefox-1.5.0.5.ebuild
13 >> digest` and then emerge
14 >
15 > Err, no!
16 > The size didn't match for a reason.
17 >
18 > Delete the ebuild, and sync again. From a different mirror if possible.
19
20 My reaction too -- don't just blindly digest and emerge unless you are
21 quite sure it's safe to do so (a dev explains it or you check viewcvs and
22 verify that the one there is the same, plus verify that the ebuild isn't
23 doing anything weird like retrieving "special" source
24 from warez.and.crakz.r.us or the like).
25
26 THE WARNING ABOVE, INCORRECT SIZE OR OTHER FAILURE TO VERIFY, COULD
27 INDICATE A SECURITY ISSUE. SIMPLY REDIGESTING THE FAILED PACKAGE BYPASSES
28 THE CHECKS AND COULD LEAVE YOUR GENTOO MACHINE CRACKED WIDE OPEN AND NO
29 LONGER UNDER YOUR CONTROL!!
30
31 I apologize for shouting, but your computer's security may depend on it.
32 Don't do something stupid!
33
34 In actuality, it's much more likely simply broken or even an entirely
35 harmless difference like a missing newline or the like. However, you
36 can't KNOW that, and with various server in the FLOSS community having
37 already been found compromised, we know the crackers are trying, and it's
38 not out of the realm of possibility that a Gentoo server could be
39 compromised at some point. Thus, don't do something you might regret.
40 Either hand verify the ebuild if you know how to, or wait a few hours to a
41 day or two and the problem will probably have been resolved (or better,
42 file a bug and report it, asking if it's legit).
43
44 --
45 Duncan - List replies preferred. No HTML msgs.
46 "Every nonfree program has a lord, a master --
47 and if you use the program, he is your master." Richard Stallman
48
49 --
50 gentoo-amd64@g.o mailing list

Replies

Subject Author
Re: [gentoo-amd64] Re: [OT?] Firefox-1.5.0.5 ebuild file size Mark Haney <mhaney@××××××××××××.org>
Report Message
Find on MARC Find on Google Groups