Re: PKGSRC_SETENV?= ${SETENV} -i

To: David Sainty <dave%dtsp.co.nz@localhost>
Subject: Re: PKGSRC_SETENV?= ${SETENV} -i
From: Marc Espie <espie%nerim.net@localhost>
Date: Fri, 7 Jun 2013 16:16:23 +0200

On Fri, Jun 07, 2013 at 11:54:53PM +1200, David Sainty wrote:
> The situation for fetching is Very Very different to building phases,
> because there's already a repeatability firewall, in the form of
> distinfo digests, that makes it impossible for misbehaviour in the fetch
> phase to go unnoticed - and so the environment will never have any
> bearing on the final contents of the package.

Difficult, not impossible. Especially for a motivated attacker.
Both md5 and sha1 have  known birthday attacks.

gzip, bzip2, tar, ignore garbage at end of archives...

Follow-Ups:
- Re: PKGSRC_SETENV?= ${SETENV} -i
  - From: David Sainty
- Re: PKGSRC_SETENV?= ${SETENV} -i
  - From: Alistair Crooks

References:
- Re: PKGSRC_SETENV?= ${SETENV} -i
  - From: Taylor R Campbell
- Re: PKGSRC_SETENV?= ${SETENV} -i
  - From: David Sainty

Prev by Date: Re: PKGSRC_SETENV?= ${SETENV} -i
Next by Date: Re: PKGSRC_SETENV?= ${SETENV} -i
Previous by Thread: Re: PKGSRC_SETENV?= ${SETENV} -i
Next by Thread: Re: PKGSRC_SETENV?= ${SETENV} -i
Indexes:

Home | Main Index | Thread Index | Old Index