[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [arm/packaging] Adding tarball dependencies for autofetching

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [arm/packaging] Adding tarball dependencies for autofetching
From: atagar@xxxxxxxxxxxxxx
Date: Fri, 10 Jun 2011 16:59:41 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 10 Jun 2011 12:59:53 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: code repository commits <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Damian Johnson <atagar@xxxxxxxxxxxxxx>
Sender: tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx

commit 5442c4365d43bc706ec4e903644c54a56c633df3
Author: Damian Johnson <atagar@xxxxxxxxxxxxxx>
Date:   Fri Jun 10 09:55:48 2011 -0700

    Adding tarball dependencies for autofetching
    
    The autofetched library dependencies weren't having their signatures checked,
    making this a very stupid vulnerability when on an untrusted network (that
    said, in practice you'd need to check arm's integrity for this fix to be
    meaningful which isn't possible when it's coming from git). However, this is
    probably better than nothing. Suggested by Sebastian and rransom
---
 deps/cagraph-1.2.tar.gz |  Bin 0 -> 22600 bytes
 deps/fetch.sh           |   29 +++++++++++++++++++++++++++++
 deps/torctl.tar.gz      |  Bin 0 -> 64261 bytes
 3 files changed, 29 insertions(+), 0 deletions(-)

diff --git a/deps/cagraph-1.2.tar.gz b/deps/cagraph-1.2.tar.gz
new file mode 100644
index 0000000..9ebc16e
Binary files /dev/null and b/deps/cagraph-1.2.tar.gz differ
diff --git a/deps/fetch.sh b/deps/fetch.sh
new file mode 100755
index 0000000..03ae800
--- /dev/null
+++ b/deps/fetch.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+# This fetches copies of arm's library dependencies. They're relatively static
+# and provided with the tarball to avoid complicating the install process.
+# 
+# TorCtl (https://gitweb.torproject.org/pytorctl.git)
+#   6/10/11 - be583e53b2bccf09a7126c5271f9af5682447903b6ac92cf1cf78ca5b35273ed
+# 
+# cagraph (https://code.google.com/p/cagraph/)
+#   6/10/11 - a6928f07adb8f8d4b0076e01c0ec264e1acaaa6db21376c854fa827c9b04e3f3
+
+# removes old archives if they exist
+[ -f "torctl.tar.gz" ] && rm -f "torctl.tar.gz"
+[ -f "cagraph-1.2.tar.gz" ] && rm -f "cagraph-1.2.tar.gz"
+
+# retrieves torctl
+# note: This checksum changes with each fetch (maybe a timestamp's included?)
+git clone --quiet git://git.torproject.org/pytorctl.git
+cd pytorctl
+git archive --format=tar --prefix=TorCtl/ master | gzip > ../torctl.tar.gz
+cd ..
+rm -rf pytorctl
+
+# retrieves cagraph
+wget --quiet http://cagraph.googlecode.com/files/cagraph-1.2.tar.gz
+
+echo "Sha256 Checksums:"
+sha256sum torctl.tar.gz
+sha256sum cagraph-1.2.tar.gz
+
diff --git a/deps/torctl.tar.gz b/deps/torctl.tar.gz
new file mode 100644
index 0000000..d45820b
Binary files /dev/null and b/deps/torctl.tar.gz differ

_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [arm/master] Adding source flag to disable gui while in beta
Next by Author: [tor-commits] [arm/packaging] fix: only using a subset of the cagraph archive
Previous by thread: [tor-commits] [arm/master] Adding source flag to disable gui while in beta
Next by thread: [tor-commits] [obfsproxy/master] Logging subsystem code.
Index(es):
- Author
- Thread