# xscreensaver port cannot be fetched



## vist (Dec 10, 2013)

Hi folks!

I have run into an issue with FreeBSD x64 today. I tried building KDE4 from the latest ports tree (ports tree up to date on 10.12.2013) and the build breaks on the xscreensaver port. The cause is that the file xscreensaver-5.22.tar.gz is absent from FTP storage. Has anyone run into the same issue already? Is the file just missing or is there a specific directory where this file is being stored for now?


----------



## fonz (Dec 10, 2013)

Confirmed. x11/xscreensaver has been updated upstream but the port hasn't been updated yet. You can either wait for the port maintainer to update the port, or edit /usr/ports/x11/xscreensaver/Makefile to change PORTVERSION to 5.26, remove /usr/ports/x11/xscreensaver/distinfo and build again.


----------



## wblock@ (Dec 10, 2013)

Please remember that distinfo has checksums that help protect against compromised distfiles.  Do not remove or edit it without thinking about this.


----------



## fonz (Dec 10, 2013)

wblock@ said:
			
		

> Please remember that distinfo has checksums that help protect against compromised distfiles.  Do not remove or edit it without thinking about this.


That's a good shout. However, there's only one MASTER_SITE and the FreeBSD FTP server is only mirroring older distfiles of this port (i.e. not the version currently being mentioned in the ports tree). If at all possible, do indeed wait for the maintainer to update the port. But if you really can't wait I suppose you could take your chances with the new - but yet unchecksummed - distfile.


----------



## vist (Dec 11, 2013)

wblock@ said:
			
		

> Please remember that distinfo has checksums that help protect against compromised distfiles.  Do not remove or edit it without thinking about this.





> If at all possible, do indeed wait for the maintainer to update the port.



Yes, actually I have run into an issue already. The file itself had been downloaded, but I could not build it because of compilation errors. So, I would better wait for the maintainer to publish the updated port rather than build my KDE and fix post install issues then.


----------



## HK45 (Dec 17, 2013)

I ran into the same trouble this evening. One thing I noticed was that the install tried to get xscreensaver from the maintainers' site (www.jwz.org) first:


```
===>  Found saved configuration for xscreensaver-5.22_3
===>   xscreensaver-5.22_3 depends on file: /usr/local/sbin/pkg - found
=> xscreensaver-5.22.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch http://www.jwz.org/xscreensaver/xscreensaver-5.22.tar.gz
fetch: http://www.jwz.org/xscreensaver/xscreensaver-5.22.tar.gz: Not Found
=> Attempting to fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/xscreensaver-5.22.tar.gz
fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/xscreensaver-5.22.tar.gz: File unavailable (e.g., file not found, no access)
=> Couldn't fetch it - please try to retrieve this
=> port manually into /usr/ports/distfiles/ and try again.
*** Error code 1
```

I tried to look around on the site with my browser, but could not find the file there. I did find it in the Fedora repository though: http://pkgs.fedoraproject.org/repo/pkgs/xscreensaver/xscreensaver-5.22.tar.gz/f78dda2e82a4d22a87d0b7adbabc93f4/. I put it in my /usr/ports/distfiles/ and it seemed to work OK. That said, I am pretty new to FreeBSD, so I am not sure if this was a good thing, security-wise.


----------



## kpa (Dec 17, 2013)

As long as you don't get a complaint about non-matching SHA256 checksum you're totally  safe. It's extremely unlikely that a different file of the same length would produce the same SHA256 hash value. In cryptography that is called a "hash collision" and SHA256 is very resistant to collisions according to recent research.


----------

