This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug other/61439] contrib/download_prerequisites script does not verify integrity of packages


https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61439

Moritz Klammler <moritz at klammler dot eu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |moritz at klammler dot eu

--- Comment #4 from Moritz Klammler <moritz at klammler dot eu> ---
I have just discovered the same problem and re-wrote the script to verify
checksums and also polished it in general. Apparently, daube was faster than me
which is kind of ironic given that this issue was inactive for two years. I'm
posting my version anyways since I believe that the additional options accepted
by my version of the script might provide additional value.

The checksums are not hard-coded in my script but expected in a file
`contrib/prerequisites.md5` or `contrib/prerequisites.sha512`. The idea being
that somebody who has a trusted connection to the GNU archives checks in a
known-good version of the checksums files into the GCC repository and updates
them whenever GCC switches to a new version.

Especially since the script downloads over unencrypted connections, I think
that fixing this is really important.

Users can select to use MD5 instead of SHA512 (not recommended) or disable
checksum verification completely (definitely not recommended). Purely for
convenience, I also added a few other options. You can download and unpack the
packages in an off-tree directory with the `--directory` option. Personally, I
prefer having the downloads all in the `~/src/` directory with only symlinks
pointing upwards so I would pass `--directory ..`. I also changed the script to
not overwrite existing files by default which can be overridden by the
`--force` option. Finally, and perhaps most important, I added a `--help`
option that does what you expect.

I recognize that there is also a `download_ecj` script. If there is interest, I
can convert that as well or -- perhaps better -- merge the two scripts.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]