Date: Wed, 22 May 2002 08:11:51 +0400 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: kris@obsecurity.org, ports@freebsd.org, portmgr@freebsd.org, core@freebsd.org Subject: My position on commiters guide 10.4.4 Message-ID: <20020522041150.GA92851@nagual.pp.ru>
next in thread | raw e-mail | index | archive | help
This statement appearse as result of my conflict with Kris Kennaway who insist on rule #10.4.4. http://www.freebsd.org/doc/en_US.ISO8859-1/articles/committers-guide/ports.html#Q10.4.4. I am in strong disagreement with this rule, because, in general, it is not a porter tasks described there. Lets go into details. First of all, here is whole text to make citation easy to find: --------------- 10.4.4. What is the proper procedure for updating the checksum for a port's distfile when the file changes without a version change? When the checksum for a port's distfile is updated due to the author updating the file without changing the port's revision, the commit message should include a summary of the relevant diffs between the original and new distfile to ensure that the distfile has not been corrupted or maliciously altered. If the current version of the port has been in the ports tree for a while, a copy of the old distfile will usually be available on the ftp servers; otherwise the author or maintainer should be contacted to find out why the distfile has changed. ----------- 1) As a porter, I am already sure, making port, that "distfile has not been corrupted", there is no needs to reflect it in the commit message somehow. 2) As a porter, all I do is the port and it is not mine task to do needed tests to be sure that distfile is not "maliciously altered". Probably it is local security officer task. 2.1) For binary port (as example, in my conflict) code analyze needed, using debugger or something like. I not plan to dedicate my life time to single port, it is local security officer task, if he think that application is critical for local system. 3) Running "relevant diffs between the original and new distfile" is not porter task too. Probably it is local security officer task. It have nothing common with porting, i.e. tuning application for FreeBSD. 3.1) As a porter, not a developer, I may not fully understand every change that developers made without any announce. 3.1.1) Even if I understand some of them during the porting work, it not means I must describe them, it is developers task to describe their product changes. 4) "The author or maintainer should be contacted to find out why the distfile has changed". This is local security officer task too. To be involved in such mail exchanges with developers, i.e. to educate them to not re-roll distfiles without version number change, to ask to describe what realy happens - I don't have time and resources for all of that, it is not porter task. What I suggest? Remove that rule. Porter commit message something like "Distfile re-rolled without name change" should bring enough local security officer attention. To resolve my conflict I ask all interested parts to consider my statement and issue some resolution about rule 10.4.4. In case this rule stays as is, I forced to officially declare that I will not touch any re-rolled port anymore until its version number will be changed, since following 10.4.4 rule is against principles of common sense in form I have them. Thank you for your attention. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020522041150.GA92851>