In message <20030728094622.GB19735@nef.pbox.org>, Alistair Crooks writes:
>On Sun, Jul 27, 2003 at 05:25:03PM -0400, Steven M. Bellovin wrote:
>> In message <Pine.NEB.4.53.0307272227490.199@forsaken.emlyn.absd.org>, David 
>Bro
>> wnlee writes:
>> >On Sun, 27 Jul 2003, David Maxwell wrote:
>> >
>> >> On Sun, Jul 27, 2003 at 09:12:54AM -0400, Steve Bellovin wrote:
>> >> > It's complaining that the new vulnerability list is shorter than the
>> >> > old one.
>> >>
>> >> Corrected. The combination of a 0 size change by a 4 char-name committer
>> >> after a 5-char name committer...
>> >>
>> >> One of these days I'll eliminate this size dependency scheme.
>> >
>> >	Maybe it could switch to 'wc -l'?
>> >
>> 
>> What's needed is some assurance that (a) the file wasn't truncated on 
>> download, and (b) that the file is newer than the previous one.  I 
>> suggest sha1 for the former and a timestamp -- date +%s will do -- for 
>> the latter.
>
>I disagree - you are suggesting two extra pieces of information to be
>downloaded (and maintained by NetBSD developers).  I think the
>suggestion of an EOF token is the best way to go, since the
>information is held in the vulnerabilities file, there is no other
>extraneous information to download, and two less things to worry about
>when updating the vulnerabilities file.

They don't have to be maintained manually, of course.  And I've seen 
far too many accidents involving wrong versions of files or truncated 
files to be happy with no extra checks.


		--Steve Bellovin, http://www.research.att.com/~smb