From owner-freebsd-python@FreeBSD.ORG Mon May 26 20:07:04 2014 Return-Path: Delivered-To: freebsd-python@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ABEE255E for ; Mon, 26 May 2014 20:07:04 +0000 (UTC) Received: from mail-we0-f180.google.com (mail-we0-f180.google.com [74.125.82.180]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 40FEA268E for ; Mon, 26 May 2014 20:07:04 +0000 (UTC) Received: by mail-we0-f180.google.com with SMTP id t61so8544589wes.39 for ; Mon, 26 May 2014 13:07:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=6/Jhm5mOf4e4Si635mscwGqulxXOfGYRyzpL+nmRDtA=; b=YUzYVNfz9+rf9RSRmZls/aI3SWsP4fFiiTPhFVu4UG1lA/tlSjb74qap7o71coPCv4 cIbUHNBrNZTfOaj8/Or42OAxpOsrLRlsaaMgqVEOhTDuTRkW6lpE9cm5p5ilSKrzwNr4 Q2qVepKXd4AqOCLSPX5ARZ/y3xIOrfWnGrl/ilpyou75yjLJRobvffkSFnuERs4Ne6kI ZLJ2TKJkzVVNWbDxkJXPbwbXx1Wz0REr64L25FXhm8QefMdcm+nVL7nr/fnd7ws1bI9y H/e41E03nY9KrMmzKm/m9lkuinYYpefT7J0Fe10EzuVN2WwmVFvI5e49BC5RJz/5xhV8 tsVg== X-Gm-Message-State: ALoCoQmWcDWTNeo3IeIEmtkGI1SL5JjKkj+HU7Kx5SLKDqD4Agby+rX0gXy6HkHfPjGOCDDmw/o9 X-Received: by 10.194.157.68 with SMTP id wk4mr33579898wjb.42.1401134450811; Mon, 26 May 2014 13:00:50 -0700 (PDT) Received: from [10.1.1.2] ([78.133.179.174]) by mx.google.com with ESMTPSA id qq5sm2360261wic.10.2014.05.26.13.00.49 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 26 May 2014 13:00:49 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) Subject: Re: ports/189666: devel/py-demjson: unfetchable due to rerolled tarball From: =?utf-8?Q?Bart=C5=82omiej_Rutkowski?= In-Reply-To: <53839C13.4040405@marino.st> Date: Mon, 26 May 2014 22:00:47 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <201405260846.s4Q8kUdC079970@freefall.freebsd.org> <53839C13.4040405@marino.st> To: marino@freebsd.org X-Mailer: Apple Mail (2.1878.2) Cc: ports@robakdesign.com, freebsd-python@FreeBSD.org X-BeenThere: freebsd-python@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: FreeBSD-specific Python issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2014 20:07:04 -0000 Wiadomo=C5=9B=C4=87 napisana przez John Marino = w dniu 26 maj 2014, o godz. 21:54: > On 5/26/2014 21:36, Bart=C5=82omiej Rutkowski wrote: >> I've just mailed the upstream, explaining the situation and >> suggesting releasing such changes as minor version numbers, like >> 2.0.1 or something similar. We'll see what, if any response will I >> receive, but for now, please, patch the port with new distinfo you've >> proposed. If this happens again and we wont get any answer by that >> time, we'll consider hosting the distfiles or removing the port. >=20 > Hi Bartek, > The issue is that I can't blindly update the distinfo. Somebody = (almost > always the maintainer) has to "diff" the original version and the new > version and evaluate exactly what changed and if it's malicious. >=20 > I already got chewed out last week for not verifying this personally, > but I generally trust the maintainer if he/she said he did this. Have > you actually looked inside the new tarball? >=20 > Thanks, > John John, Actually, this havent crossed my mind, that the distfiles could not have = been simply re-released due to malicious activity and only thought this = was because of bad practice, so I havent actually looked into the = tarball, but instead only checked it it builds correctly on all = supported system versions. I am well aware of the possible danger and = consequences but it just havent lighten the red light in my head this = time, sorry! The author already replied to me, and I am in process of figuring out = what's going on - I'll update you as soon as I'll know anything. Kind regards, Bartek Rutkowski=