Subject: Re: Heads up: suspicious source distribution of OpenSSH 3.4p1 found (xs4)
To: NetBSD tech-security list <tech-security@netbsd.org>
From: Giles Lean <giles@nemeton.com.au>
List: tech-pkg
Date: 08/03/2002 10:26:55
"Steven M. Bellovin" <smb@research.att.com> wrote:

> No -- the most common cause of checksum failures in pkgsrc is a file 
> remaining from a partial or interrupted download.  There would be far 
> too many false positives.

Providing the mismatch reports included the file size information from
the reporting end, mismatches due to truncated downloading could
easily be filtered?

Perhaps the package system could distribute a couple of file sizes
along with the checksum:

1. the correct size, so that users can be warned if their download
   appears to be truncated

2. the size if the file is FTP'd in ASCII mode :-(

Regards,

Giles