Yes, it's easy to reproduce with "make fetch". I guess one could debate if it's correct to pass the fetch stage with a bad download only to get caught later. To play devil's advocate, if there are multiple sites and/or site sources provided, sites that may have the correct checksum, it could never be successfully fetched (unless site sources are randomized, then you might get it by chance). So I think there's a reasonable argument to do the check during the fetch phase.
also, the hash is generated every time the port is built, so say a specific port is built 5 times with the same distfile. That would be a total of 6 hash generations, so that's not 100% increase, only 20% John On Fri, May 16, 2025 at 9:53 AM Ronald Klop <[email protected]> wrote: > I can't reproduce your issue. Made a deliberate typo in the checksum in a > distinfo file and get this error. > > ===> Extracting for mongodb70-7.0.20 > => SHA256 Checksum mismatch for mongodb-mongo-r7.0.20_GH0.tar.gz. > ... > ===> Giving up on fetching files: mongodb-mongo-r7.0.20_GH0.tar.gz > Make sure the Makefile and distinfo file > (/usr/ports/databases/mongodb70/distinfo) > are up to date. If you are absolutely sure you want to override this > check, type "make NO_CHECKSUM=yes [other args]". > *** Error code 1 > > > NB: I now realize the check happens on extract instead of fetch. I think > because people can get the files from other sources than only do-fetch. And > doing the check twice is a bit expensive for a checksum compared to > checking the file size. But I didn't design this. > > Regards, > Ronald. > > > > *Van:* "John Marino (FreeBSD)" <[email protected]> > *Datum:*vrijdag, 16 mei 2025 16:17 > *Aan:*[email protected] > *Onderwerp:*do-fetch.mk never actually verifies the sha256 checksum > > For each distribution file listed in a port's distinfo file, the file's > size and SHA256 hash is provided. However, after a distribution file > candidate is downloaded, only the file's size is verified to match the > requirements. The downloaded file is never hashed to verify it matches the > required checksum. > > basic logic per file: > 1. Verify an SHA256 list for the file is present in the distinfo file. > 2. Attempt fetch requiring file size listed in distinfo (size requirement > may be ignored) > 3. Upon successful download, verify downloaded file size matches > requirement. > 4. If file size matches => success (otherwise try backup sites or FAIL) > > I assume the original intent was to first check file size, and then > calculate the SHA256 sum of the downloaded file and compare that to the > distinfo requirements. > > So currently it's possible to successfully fetch a distribution file that > has the same size but a different checksum than the file specified in > distinfo. > > To interate -- the do-fetch.mk requires distinfo to provide an SHA256 > checksum, but it doesn't do anything with it. > > > >
