Changes between Version 97 and Version 98 of FAQ


Ignore:
Timestamp:
Apr 13, 2010, 2:56:52 PM (15 years ago)
Author:
raimue (Rainer Müller)
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • FAQ

    v97 v98  
    8383MacPorts computes checksums of downloaded files to ensure they aren't corrupted and haven't been tampered with. Each portfile lists the checksums for the files that the port will download (using md5, sha1 and/or rmd160). If the computed checksum of the downloaded file doesn't match the one listed in the portfile, that means the file you downloaded is not the one the port designer used when creating the port, and so MacPorts stops the installation.
    8484
    85 The first thing you should do if you get a checksum error is update your ports with `sudo port sync` — can you install the port now? If so, it means somebody else encountered the same checksum mismatch before and already fixed it.
    86 
    87 If updating doesn't help, then you should attempt to discover why there is a checksum mismatch. '''Please do NOT file a ticket without first ruling out a misconfiguration on your end. Also make sure that you specify which mirror your download came from when filing a ticket.''' There are several possible reasons for checksum mismatches:
    88 
    89  1. ''The file is corrupt''. If it was corrupted by the transfer, download it again (`port clean --all <portname>` and `port install <portname>`). If it is corrupted on the server, there is not much you can do about it. Open a bug in [http://trac.macports.org/newticket Trac] and assign it to the port's maintainer. As for solving the problem: if there are other mirrors, try one of them. You can also ask if someone has a complete file they can send you on the [http://lists.macosforge.org/mailman/listinfo/macports-users MacPorts users' mailing list].
     85First aid, download the file again:
     86{{{
     87$ sudo port selfupdate
     88$ sudo port clean --all <portname>
     89$ sudo port install <portname>
     90}}}
     91
     92If this doesn't help, then you should attempt to discover why there is a checksum mismatch.
     93
     94'''Please do NOT file a ticket without first ruling out a misconfiguration on your end. Also make sure that you specify which mirror your download came from when filing a ticket.'''
     95
     96There are several possible reasons for checksum mismatches:
     97
     98 1. ''The file is corrupt''. If it was corrupted by the transfer, download it again (as shown above). If it is corrupted on the server, there is not much you can do about it. Open a bug in [http://trac.macports.org/newticket Trac] and assign it to the port's maintainer. As for solving the problem: if there are other mirrors, try one of them. You can also ask if someone has a complete file they can send you on the [http://lists.macosforge.org/mailman/listinfo/macports-users MacPorts users' mailing list].
    9099 2. ''The developer has performed a "stealth upgrade"''. Sometimes upstream developers make "stealth upgrades" in which they change the contents of their distribution archive but not its version number, without informing MacPorts of this change. Perhaps the developer has repackaged the distribution with a different archiving program, or has fixed typos in the included documentation or made other presumably minor changes that did not warrant a regular release. This practice is not recommended because of the obvious difficulties it presents to MacPorts and other port systems that compute package checksums. Attempt to get confirmation from the developer of the software that this has occurred. If the developer cannot be reached, attempt to determine yourself whether a stealth upgrade has happened. [http://www.google.com/ Search the Internet] and try to locate the older version of the archive that matches the checksum in the portfile. Also download the version currently available on the developer's site, extract both, and compare the contents (for example with `diff -r -u <old> <new>`). If the changes look minor and benign, or there are no changes at all, then it is safe for you to update the checksum in the portfile, and the port maintainer should be informed of this so that they can make the change official. If you cannot determine whether a stealth upgrade has taken place, ask for help on the [http://lists.macosforge.org/mailman/listinfo/macports-users users' mailing list].
    91100 3. ''The file has been tampered with''. It is perhaps somewhat unlikely yet theoretically possible (and it has happened a few times in practice) that the archive being distributed by the developer (or by a mirror) has been genuinely compromised. If a hacker was able to manipulate the developer's (or the mirror's) server, the hacker could have uploaded a revised archive containing malware (a virus, a trojan horse, a spam-sending platform, etc.) of the hacker's choosing, and you would certainly not want to install such software. You must attempt to determine, as above, whether this has occurred by contacting the developer, or by locating an older version of the archive and comparing them. You can also contact the port maintainer or the [http://lists.macosforge.org/mailman/listinfo/macports-users users' mailing list].