Re: Security Run Output

Charlie Li wrote on 3/26/23 5:48 PM:
> Gerard E. Seibert wrote:
>> For quite some time now, I have been receiving a warning message of
>> 1025 packages with mismatched checksums in the daily "Security Run
>> Output" email. They are all prefixed with "py39-"
>>
> Because Python packages that build using the older method of directly 
> executing setup.py, aka distutils, have not yet been switched to not 
> compile bytecode during the build. The trigger to compile/remove 
> bytecode after all pkg(8) transactions complete had been reverted due 
> to an overreaction and opportunity to make the process more resilient. 
> These particular checksum mismatches are completely harmless.
I don't wish to debate 'completely harmless'. I will state it was not 
without causing concern among users use the `pkg check` data.

I am happy to hear that it has been reverted. I can confirm that after a 
few `pkg upgrade`s and `pkg install -f`s, the false positives have gone 
away.

Alert fatigue is a valid concern.  Reverting the change was the right 
thing to do.

Here's hoping that tomorrow's Security Run Output is clean.

-- 
Dan Langille - dan@langille.org
https://langille.org/