Mike Williams <mike gaima.co.uk> posted
200607311656.36538.mikegaima.co.uk, excerpted below, on Mon, 31
Jul 2006
16:56:35 +0100:
> On Monday 31 July 2006 16:47, Atoms wrote:
>> >> Nope. Works fine here.
>> >
>> > Okay, next question is, how do I clean portage
up (sanely) to allow a
>> > re-download of the ebuild?
>>
>> just do `ebuild
>>
/usr/portage/www-client/mozilla-firefox/mozilla-firefox-1.5.
0.5.ebuild
>> digest` and then emerge
>
> Err, no!
> The size didn't match for a reason.
>
> Delete the ebuild, and sync again. From a different
mirror if possible.
My reaction too -- don't just blindly digest and emerge
unless you are
quite sure it's safe to do so (a dev explains it or you
check viewcvs and
verify that the one there is the same, plus verify that the
ebuild isn't
doing anything weird like retrieving "special"
source
from warez.and.crakz.r.us or the like).
THE WARNING ABOVE, INCORRECT SIZE OR OTHER FAILURE TO
VERIFY, COULD
INDICATE A SECURITY ISSUE. SIMPLY REDIGESTING THE FAILED
PACKAGE BYPASSES
THE CHECKS AND COULD LEAVE YOUR GENTOO MACHINE CRACKED WIDE
OPEN AND NO
LONGER UNDER YOUR CONTROL!!
I apologize for shouting, but your computer's security may
depend on it.
Don't do something stupid!
In actuality, it's much more likely simply broken or even
an entirely
harmless difference like a missing newline or the like.
However, you
can't KNOW that, and with various server in the FLOSS
community having
already been found compromised, we know the crackers are
trying, and it's
not out of the realm of possibility that a Gentoo server
could be
compromised at some point. Thus, don't do something you
might regret.
Either hand verify the ebuild if you know how to, or wait a
few hours to a
day or two and the problem will probably have been resolved
(or better,
file a bug and report it, asking if it's legit).
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."
Richard Stallman
--
gentoo-amd64gentoo.org mailing list
|