svn commit: r324901 - head/biology/tinker
Bryan Drewery
bdrewery at FreeBSD.org
Sun Aug 18 22:34:43 UTC 2013
On 8/18/2013 1:48 PM, John Marino wrote:
> On 8/18/2013 14:55, Bryan Drewery wrote:
>> On 8/18/2013 6:38 AM, John Marino wrote:
>>> Author: marino
>>> Date: Sun Aug 18 11:38:34 2013
>>> New Revision: 324901
>>> URL: http://svnweb.freebsd.org/changeset/ports/324901
>>>
>>> Log:
>>> biology/tinker: Regenerate distinfo to unbreak fetch
>>>
>>> Apparently the distfile was rerolled. The sizes of the file are only a few
>>> bytes apart. Since the master site never changed, it's reasonable just to
>>> regenerate the distinfo and bump the PORTREVISION.
>>>
>>
>> *exactly* what changed is needed to be known before we update the
>> distinfo. Did you do a comparison between the two tarballs?
>
> As I mentioned in the commit message, I couldn't obtain the first
> version. I didn't have it in any cache. Perhaps only the submitter of
> the PR 180518 could have done this.
I read the message the first time and it's not a valid justification.
The size could be the same (and different checksum) and have a backdoor.
>
> However, after committing, I realized I could have compared 6.2.06 with
> the previous version 6.2.05 which I did have. In any case, the tarball
> is from the same master site and this port has been broken for more 30
> days. Had the tarball been compromised, it very likely would have been
> caught in such a long time. So do we trust the site or not?
We trust nothing. Upstreams can be compromised for *years* and not be known.
>
> John
>
--
Regards,
Bryan Drewery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-ports-head/attachments/20130818/fed66d51/attachment.sig>
More information about the svn-ports-head
mailing list