Poisoned Savannah Mirror List
Fred Wright
fw at fwright.net
Tue Aug 4 22:21:45 UTC 2020
I was attempting to install gpsd (prior to an update for the new version),
and ran afoul of this:
---> Fetching distfiles for gpsd
---> Attempting to fetch gpsd-3.20.tar.gz from http://babyname.tips/mirrors/nongnu/gpsd
---> Verifying checksums for gpsd
Error: Checksum (rmd160) mismatch for gpsd-3.20.tar.gz
Error: Checksum (sha256) mismatch for gpsd-3.20.tar.gz
Error: Checksum (size) mismatch for gpsd-3.20.tar.gz
***
The non-matching file appears to be HTML. See this page for possible reasons
for the checksum mismatch:
<https://trac.macports.org/wiki/MisbehavingServers>
***
I don't know how "babyname.tips" got into the mirror list, since the name
suggests that it's completely inappropriate, but it seems to have been
there for almost three years, due to commit 49ffee556c1a. Perhaps that's
been benign until recently, but now viewing that directory gives:
babyname.tips is for sale on GoDaddy Auctions. Click here for more details.
And a bunch of other crap.
Making it worse is that MacPorts questions it based on its being HTML, but
stores it anyway, doesn't attempt to fetch it from any other mirrors, and
doesn't attempt another fetch unless you remove it (even though it was
renamed). Hence, it completely blocks a successful distfile fetch (unless
one does it manually).
There are also quite a lot of other discrepancies between the current
Savannah mirror list in mirror_sites.tcl and the one published at:
https://download-mirror.savannah.gnu.org/releases/00_MIRRORS.txt
Fred Wright
More information about the macports-dev
mailing list