Am 16.05.2017 um 14:00 schrieb Renato Botelho: > On 16/05/17 08:54, Renato Botelho wrote: >> Hello Mathias, >> >> I was trying to get openvpn23 installed from quarterly branch and got >> the following error: >> >> root@buildbot1:/usr/local/poudriere/ports/pfSense_v2_3/security/openvpn23 >> # make checksum >> ===> License GPLv2 accepted by the user >> ===> openvpn23-2.3.15 depends on file: /usr/local/sbin/pkg - found >> => openvpn-2.3.15.tar.xz doesn't seem to exist in >> /usr/local/poudriere/ports/pfSense_v2_3/distfiles/. >> => Attempting to fetch >> http://swupdate.openvpn.net/community/releases/openvpn-2.3.15.tar.xz >> fetch: >> http://swupdate.openvpn.net/community/releases/openvpn-2.3.15.tar.xz: >> size mismatch: expected 863384, actual 829240 >> => Attempting to fetch >> http://build.openvpn.net/downloads/releases/openvpn-2.3.15.tar.xz >> fetch: >> http://build.openvpn.net/downloads/releases/openvpn-2.3.15.tar.xz: size >> mismatch: expected 863384, actual 829240 >> => Attempting to fetch >> http://distcache.FreeBSD.org/ports-distfiles/openvpn-2.3.15.tar.xz >> fetch: >> http://distcache.FreeBSD.org/ports-distfiles/openvpn-2.3.15.tar.xz: Not >> Found >> => Couldn't fetch it - please try to retrieve this >> => port manually into /usr/local/poudriere/ports/pfSense_v2_3/distfiles/ >> and try again. >> *** Error code 1 >> >> Stop. >> make: stopped in /usr/local/poudriere/ports/pfSense_v2_3/security/openvpn23 >> > > Just FYI, I've downloaded current tarball from OpenVPN website and > checked it using GPG and it's OK. I'm not sure why they rerolled tarball > tough. >
Hi Renato, there is a size difference on the tarballs between swupdate and build. Working together with Gert Döring via IRC, and diffing the tarballs from the two download sites, we figured out that the smaller tarball on build.openvpn.net carries a pre-release tarball that did NOT fix CVE-2017-7478, only -7479, but should never have been made public. The bigger tarball on swupdate.openvpn.net carries garbage files that do not end up in our build, but also carries the fix for BOTH CVE-2017-7478 and -7479. For details, see the commit log of r441129 at <https://svnweb.freebsd.org/ports/branches/2017Q2/security/openvpn23/Makefile?revision=441129&view=markup> So I've chosen to remove build.openvpn.net from the DISTSITES for now, under ports-secteam@'s blanket approval. Upstream maintainers will need to talk about this and may need to release 2.3.16 to resolve any uncertainties. I have uploaded the intact 2.3.15 tarball to my local public_distfiles, so we can add LOCAL/mandree/ to the DISTSITES later on should that prove necessary. Renato, thanks for bringing this up! Best regards, Matthias
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel