[tor-commits] [arm/packaging] Adding tarball dependencies for autofetching
atagar at torproject.org
atagar at torproject.org
Fri Jun 10 16:59:41 UTC 2011
commit 5442c4365d43bc706ec4e903644c54a56c633df3
Author: Damian Johnson <atagar at torproject.org>
Date: Fri Jun 10 09:55:48 2011 -0700
Adding tarball dependencies for autofetching
The autofetched library dependencies weren't having their signatures checked,
making this a very stupid vulnerability when on an untrusted network (that
said, in practice you'd need to check arm's integrity for this fix to be
meaningful which isn't possible when it's coming from git). However, this is
probably better than nothing. Suggested by Sebastian and rransom
---
deps/cagraph-1.2.tar.gz | Bin 0 -> 22600 bytes
deps/fetch.sh | 29 +++++++++++++++++++++++++++++
deps/torctl.tar.gz | Bin 0 -> 64261 bytes
3 files changed, 29 insertions(+), 0 deletions(-)
diff --git a/deps/cagraph-1.2.tar.gz b/deps/cagraph-1.2.tar.gz
new file mode 100644
index 0000000..9ebc16e
Binary files /dev/null and b/deps/cagraph-1.2.tar.gz differ
diff --git a/deps/fetch.sh b/deps/fetch.sh
new file mode 100755
index 0000000..03ae800
--- /dev/null
+++ b/deps/fetch.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+# This fetches copies of arm's library dependencies. They're relatively static
+# and provided with the tarball to avoid complicating the install process.
+#
+# TorCtl (https://gitweb.torproject.org/pytorctl.git)
+# 6/10/11 - be583e53b2bccf09a7126c5271f9af5682447903b6ac92cf1cf78ca5b35273ed
+#
+# cagraph (https://code.google.com/p/cagraph/)
+# 6/10/11 - a6928f07adb8f8d4b0076e01c0ec264e1acaaa6db21376c854fa827c9b04e3f3
+
+# removes old archives if they exist
+[ -f "torctl.tar.gz" ] && rm -f "torctl.tar.gz"
+[ -f "cagraph-1.2.tar.gz" ] && rm -f "cagraph-1.2.tar.gz"
+
+# retrieves torctl
+# note: This checksum changes with each fetch (maybe a timestamp's included?)
+git clone --quiet git://git.torproject.org/pytorctl.git
+cd pytorctl
+git archive --format=tar --prefix=TorCtl/ master | gzip > ../torctl.tar.gz
+cd ..
+rm -rf pytorctl
+
+# retrieves cagraph
+wget --quiet http://cagraph.googlecode.com/files/cagraph-1.2.tar.gz
+
+echo "Sha256 Checksums:"
+sha256sum torctl.tar.gz
+sha256sum cagraph-1.2.tar.gz
+
diff --git a/deps/torctl.tar.gz b/deps/torctl.tar.gz
new file mode 100644
index 0000000..d45820b
Binary files /dev/null and b/deps/torctl.tar.gz differ
More information about the tor-commits
mailing list