Date: Wed, 22 May 2002 06:14:45 +0400 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Kris Kennaway <kris@obsecurity.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/security/drweb Makefile distinfo ports/security/drweb/files patch-aa patch-ab Message-ID: <20020522021445.GA92135@nagual.pp.ru> In-Reply-To: <20020521173029.A36618@xor.obsecurity.org> References: <200205211516.g4LFGeo82331@freefall.freebsd.org> <20020521151814.F31955@xor.obsecurity.org> <20020521235911.GA91185@nagual.pp.ru> <20020521173029.A36618@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 21, 2002 at 17:30:29 -0700, Kris Kennaway wrote: > Yes; it's a rule we apply to all ports committers. Please see >=20 > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/committers-guide/port= s.html#Q10.4.4. I disagree with that. It seems this rule mix porter and security officer tasks. As porter what I do I port application. As porter, I already check that "distfile has not been corrupted". But it is security officer, who must find out, if distfile is "maliciously altered", comparing differences at whole and analyzing code with debugger, especially for _binary_ port like drweb! It is security officer who must educate developer to not re-roll their distfiles like written: "otherwise the author or maintainer should be contacted to find out why the distfile has changed." > It's not a very demanding requirement; just do a diff -ruN and inspect > the changes visually. If the changes are significant then just note > as such. The main thing you're looking for are changes which were > inserted into the distfile maliciously. The changes are: drweb: Binary daemon changed. Config files changed. drweb-sendmail: *.o *.a removed Config files changed. It is what I find out during the porting. I have no time and energy to=20 detalize it more and I am not sure even that this list is complete! --=20 Andrey A. Chernov http://ache.pp.ru/ --wac7ysb48OaltWcw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPOr/FeJgpPLZnQjrAQHq/gQAkvhjZKP8rb4x12e1U6+DV5w+0hPfMhMt w6i45VHjiMDOzrMHph0KLXykS8cwMauVAG7HIJ1y2SBJHDoUtwo+Q7t8YYhYyvbY ztGts6JbcS7ch/zys7/oItaeG+/imyb4dBsIBXe2ViiZb69/SFXYKa96CdXKt1Ck K7YEjPku+PU= =VRB/ -----END PGP SIGNATURE----- --wac7ysb48OaltWcw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020522021445.GA92135>