#49031: gstreamer010: checksum mismatch ---------------------------+-------------------------------- Reporter: m1@… | Owner: macports-tickets@… Type: defect | Status: closed Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: invalid | Keywords: Port: gstreamer010 | ---------------------------+-------------------------------- Changes (by ryandesign@…): * status: new => closed * cc: ryandesign@… (added) * resolution: => invalid Comment: Replying to [comment:2 m1@…]:
Attached!
Thanks. When I open that file in my web browser, and run its contents through Google Translate, I see that it is a message from Sophos (a security program) that the site mirrors.ustc.edu.cn -- which is one of the sites we have configured in MacPorts as a download location for gnome software -- may pose a threat. This type of non-standards-compliant meddling in network behavior on the part of Sophos is bound to confuse software like MacPorts that relies on the fact that when a file is requested from a network server, either the correct file is delivered, or an error message is produced; Sophos did neither. If you were able to avoid the use of Sophos by changing your DNS server, that'll work great for MacPorts, but of course your computer will no longer have the protection that Sophos claims to offer. In other words if you now visited a web site in your web browser that Sophos thinks is malicious, you would no longer be warned of that by Sophos. Note that there is very little risk of infection by a compromised server in the context of downloading distfiles with MacPorts. This is because whenever a port maintainer updates a port to a new version, they test it on their own system first, and they record the checksums of the correct distfile into the portfile. If a compromised server were somehow able to deliver a different file to your computer, MacPorts would reject it because it wouldn't match the checksums. In the case of this particular port, it looks like the file gstreamer-0.10.36.tar.bz2 no longer exists on the gnome mirror network (though it still exists on the MacPorts mirror network). Now, gnome only has the tar.xz format of this version — which is a smaller file, so maybe we should switch the port to use that. -- Ticket URL: <https://trac.macports.org/ticket/49031#comment:4> MacPorts <https://www.macports.org/> Ports system for OS X