Joerg Sonnenberger wrote:
> On Thu, Aug 24, 2006 at 02:43:30PM -0400, Seth Hanford wrote:
>> Instead of spending time finding and implementing new hashes, the
>> infrastructure need only check all the hashes instead of just SHA1 (or
>> two of the three, even) & size. Looking through ports(7) and
>> bsd.port.mk(5), I didn't find such an option, but it may already exist.
>
> It does check all three.

Can you enlighten me how? My tests showed otherwise:

OpenBSD 3.9-stable (GENERIC.MP) #0: Fri Jun 16 10:46:24 EDT 2006
root@thomas.ckure.com:/usr/src/sys/a...ile/GENERIC.MP

$cd /usr/ports/devel/p5-Cache-Mmap
$cat distinfo
MD5 (Cache-Mmap-0.09.tar.gz) = fef44673771a0f1f14982ae719f57221
RMD160 (Cache-Mmap-0.09.tar.gz) = bea768cfe8e6cb1207680bf676c4e3d097737dd3
SHA1 (Cache-Mmap-0.09.tar.gz) = c2088ec6c3bba6eafe09ba71fa0508a4699e51cf
SIZE (Cache-Mmap-0.09.tar.gz) = 21463

$sudo make fetch
===> Checking files for p5-Cache-Mmap-0.09
>> Cache-Mmap-0.09.tar.gz doesn't seem to exist on this system.
>> Fetch
ftp://ftp.funet.fi/pub/languages/per...ap-0.09.tar.gz.
Unknown command
100% |************************************************* *| 21463
00:00
>> Size matches for /usr/ports/distfiles/Cache-Mmap-0.09.tar.gz
^^^^^^^^^^^^
$vi distinfo

$cat distinfo
MD5 (Cache-Mmap-0.09.tar.gz) = fef44673771a0f1f14982ae719f57220
^^^
RMD160 (Cache-Mmap-0.09.tar.gz) = bea768cfe8e6cb1207680bf676c4e3d097737dd2
^^^
SHA1 (Cache-Mmap-0.09.tar.gz) = c2088ec6c3bba6eafe09ba71fa0508a4699e51cf
SIZE (Cache-Mmap-0.09.tar.gz) = 21463

$sudo make package
===> Checking files for p5-Cache-Mmap-0.09
`/usr/ports/distfiles/Cache-Mmap-0.09.tar.gz' is up to date.
>> Checksum OK for Cache-Mmap-0.09.tar.gz. (sha1)
^^^^^^
===> Extracting for p5-Cache-Mmap-0.09
===> Patching for p5-Cache-Mmap-0.09
===> Configuring for p5-Cache-Mmap-0.09
WARNING! I can't test for the existence of mmap() yet.
If your system does not provide mmap(), you will be unable
to compile this module.
Checking if your kit is complete...
Looks good
Writing Makefile for Cache::Mmap
===> Building for p5-Cache-Mmap-0.09

<SNIP>

===> Faking installation for p5-Cache-Mmap-0.09

<SNIP>

===> Building package for p5-Cache-Mmap-0.09
Switching to /usr/ports/devel/p5-Cache-Mmap/pkg/PFRAG.shared
Link to /usr/ports/packages/i386/ftp/p5-Cache-Mmap-0.09.tgz
Link to /usr/ports/packages/i386/cdrom/p5-Cache-Mmap-0.09.tgz

Is this something I can enable (and put into site.tgz?) to secure my
builds? Nothing so far in my cursory checks/searches (aka for
"checksum") in man bsd.port.mk or man ports. Can it be default? I'm fine
if it's only an "enable-me" feature (for example if checksumming on some
platforms is slow/undesirable) - so long as I can willfully incur the
performance/other hit for safety.

- Seth

> Joerg