[MacPorts] #49031: gstreamer010: checksum mismatch

Fri Oct 2 17:41:57 PDT 2015

#49031: gstreamer010: checksum mismatch
---------------------------+--------------------------------
  Reporter:  m1@…          |      Owner:  macports-tickets@…
      Type:  defect        |     Status:  closed
  Priority:  Normal        |  Milestone:
 Component:  ports         |    Version:  2.3.3
Resolution:  invalid       |   Keywords:
      Port:  gstreamer010  |
---------------------------+--------------------------------
Changes (by ryandesign@…):

 * status:  new => closed
 * cc: ryandesign@… (added)
 * resolution:   => invalid

Comment:

 Replying to [comment:2 m1@…]:
 > Attached!

 Thanks. When I open that file in my web browser, and run its contents
 through Google Translate, I see that it is a message from Sophos (a
 security program) that the site mirrors.ustc.edu.cn -- which is one of the
 sites we have configured in MacPorts as a download location for gnome
 software -- may pose a threat. This type of non-standards-compliant
 meddling in network behavior on the part of Sophos is bound to confuse
 software like MacPorts that relies on the fact that when a file is
 requested from a network server, either the correct file is delivered, or
 an error message is produced; Sophos did neither. If you were able to
 avoid the use of Sophos by changing your DNS server, that'll work great
 for MacPorts, but of course your computer will no longer have the
 protection that Sophos claims to offer. In other words if you now visited
 a web site in your web browser that Sophos thinks is malicious, you would
 no longer be warned of that by Sophos.

 Note that there is very little risk of infection by a compromised server
 in the context of downloading distfiles with MacPorts. This is because
 whenever a port maintainer updates a port to a new version, they test it
 on their own system first, and they record the checksums of the correct
 distfile into the portfile. If a compromised server were somehow able to
 deliver a different file to your computer, MacPorts would reject it
 because it wouldn't match the checksums.

 In the case of this particular port, it looks like the file
 gstreamer-0.10.36.tar.bz2 no longer exists on the gnome mirror network
 (though it still exists on the MacPorts mirror network). Now, gnome only
 has the tar.xz format of this version — which is a smaller file, so maybe
 we should switch the port to use that.

-- 
Ticket URL: <https://trac.macports.org/ticket/49031#comment:4>
MacPorts <https://www.macports.org/>
Ports system for OS X