From owner-cvs-all Tue May 21 19:15: 7 2002 Delivered-To: cvs-all@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 4000337B408; Tue, 21 May 2002 19:15:00 -0700 (PDT) Received: from pobrecita.freebsd.ru (ache@localhost [127.0.0.1]) by nagual.pp.ru (8.12.3/8.12.3) with ESMTP id g4M2EmoQ092210; Wed, 22 May 2002 06:14:57 +0400 (MSD) (envelope-from ache@pobrecita.freebsd.ru) Received: (from ache@localhost) by pobrecita.freebsd.ru (8.12.3/8.12.3/Submit) id g4M2EkPa092209; Wed, 22 May 2002 06:14:47 +0400 (MSD) Date: Wed, 22 May 2002 06:14:45 +0400 From: "Andrey A. Chernov" To: Kris Kennaway Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/security/drweb Makefile distinfo ports/security/drweb/files patch-aa patch-ab Message-ID: <20020522021445.GA92135@nagual.pp.ru> References: <200205211516.g4LFGeo82331@freefall.freebsd.org> <20020521151814.F31955@xor.obsecurity.org> <20020521235911.GA91185@nagual.pp.ru> <20020521173029.A36618@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw" Content-Disposition: inline In-Reply-To: <20020521173029.A36618@xor.obsecurity.org> User-Agent: Mutt/1.3.28i Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 21, 2002 at 17:30:29 -0700, Kris Kennaway wrote: > Yes; it's a rule we apply to all ports committers. Please see >=20 > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/committers-guide/port= s.html#Q10.4.4. I disagree with that. It seems this rule mix porter and security officer tasks. As porter what I do I port application. As porter, I already check that "distfile has not been corrupted". But it is security officer, who must find out, if distfile is "maliciously altered", comparing differences at whole and analyzing code with debugger, especially for _binary_ port like drweb! It is security officer who must educate developer to not re-roll their distfiles like written: "otherwise the author or maintainer should be contacted to find out why the distfile has changed." > It's not a very demanding requirement; just do a diff -ruN and inspect > the changes visually. If the changes are significant then just note > as such. The main thing you're looking for are changes which were > inserted into the distfile maliciously. The changes are: drweb: Binary daemon changed. Config files changed. drweb-sendmail: *.o *.a removed Config files changed. It is what I find out during the porting. I have no time and energy to=20 detalize it more and I am not sure even that this list is complete! --=20 Andrey A. Chernov http://ache.pp.ru/ --wac7ysb48OaltWcw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPOr/FeJgpPLZnQjrAQHq/gQAkvhjZKP8rb4x12e1U6+DV5w+0hPfMhMt w6i45VHjiMDOzrMHph0KLXykS8cwMauVAG7HIJ1y2SBJHDoUtwo+Q7t8YYhYyvbY ztGts6JbcS7ch/zys7/oItaeG+/imyb4dBsIBXe2ViiZb69/SFXYKa96CdXKt1Ck K7YEjPku+PU= =VRB/ -----END PGP SIGNATURE----- --wac7ysb48OaltWcw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message