Apologies, I mixed up this one and the other thread.
Cheers, Franco > On 22. Jan 2019, at 5:27 PM, Franco Fichtner <[email protected]> wrote: > > >> On 22. Jan 2019, at 5:15 PM, Stefan Bethke <[email protected]> wrote: >> >> On top of ports and packages depending on PEAR modules, some ports download >> archives containing vendored versions, for example, mail/roundcube. For >> roundcube, I opened https://github.com/roundcube/roundcubemail/issues/6598 >> to clarify. > > I fail to understand how mismatching package checksums for > cached package files are indication of compromised distfiles > which have pinned size and checksums in the FreeBSD ports > tree since forever. > > If you say you build your own packages (and install them) > a mismatch in pkg-cache files is normal because pkg will > complain about a drift between the mirror-provided packages > and your local ones when it detects them which happens when > you have a package file created from different sources, > the ports tree and the binary mirror. > > This will likely get rid of the mismatch by merely purging > your local package cache... > > # pkg clean -ya > > > Cheers, > Franco _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
