Thanks Christoph. That still won't suffice in the test case I mentioned. given: site A contains file "x". The number of bytes are correct, but the checksum is wrong. site B also contains file "x" which is correct in both size and checksum. The port file lists sites A and B as containing file "X" and site A is listed first.
If the do-fetch code did the checksum verification, the file from site "A" would be rejected and then site "B" would provide the correct file, which would pass the subsequent checksum target. But with the current do-fetch target, it would download file "X" from site A and then fail the subsequent checksum target. The user would consider the port broken. granted the test case would be rare, but not impossible. I think the correct approach is to add the checksum verification after the file size verification. In the end of the day, I just thought I'd bring this to people's attention so at least the devs could decide if they think the behavior is fine or not. On Fri, May 16, 2025 at 1:34 PM Christoph Moench-Tegeder <[email protected]> wrote: > ## John Marino (FreeBSD) ([email protected]): > > > For each distribution file listed in a port's distinfo file, the file's > > size and SHA256 hash is provided. However, after a distribution file > > candidate is downloaded, only the file's size is verified to match the > > requirements. The downloaded file is never hashed to verify it matches > the > > required checksum. > > The distinfo check comes in the "checksum" target, and that's run > past fetch and before extract (in case of "make all" - for more > details check targets in bsd.port.mk). > > That's also well documented in bsd.port.mk: > # Default sequence for "all" is: > # > # check-sanity fetch checksum extract patch configure build > > (line 625, as of now). > > Regards, > Christoph > > -- > Spare Space >
