From owner-freebsd-python@FreeBSD.ORG Mon May 26 20:12:22 2014 Return-Path: Delivered-To: freebsd-python@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2DDF4926 for ; Mon, 26 May 2014 20:12:22 +0000 (UTC) Received: from mail-we0-f177.google.com (mail-we0-f177.google.com [74.125.82.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B71EF273A for ; Mon, 26 May 2014 20:12:21 +0000 (UTC) Received: by mail-we0-f177.google.com with SMTP id x48so8387362wes.22 for ; Mon, 26 May 2014 13:12:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=APL2OR8GVYyb5FZSenITqTK2xQRUXCCgDxaZ5QOB/S0=; b=BIEbSEhImfdUZjB6mFb8PiTaIR6HS2giPaJnCiMn5oPuiRkC55fiKhVjuem/k/AYEm mo60JYN2sFDev27BoI7z2KrprZmTyu9KiHBsQTQNT+HmG45mh+v2CF/8S3CL2V+fsq2o E7uWR/7lu4g/9rtlpTxheMgHh+QGt5bCIB78DvvvoBpeIqcNqGYiYyFo9PtpzVfhBlx1 UeXXK/c5p4W07W7V6QiBitfP1MEmsHHdJFXHvSHEb4huZCWi8QrBqTJ3z8EtpVgH6gn4 D4EKB1gkBUTahXlBm98BXE0aJ6x3YJ8r5GE21McGsM/lEIXkOT57neezrNxtp26ctgaq pKQw== X-Gm-Message-State: ALoCoQmhgSagbSCbTnNBbq4StkTqMWdLBZ9qRUZPMNPGBCl4HsH6y3sM4Uv9pJ63i3eGTm2GIGqJ X-Received: by 10.194.82.170 with SMTP id j10mr32700385wjy.63.1401135134535; Mon, 26 May 2014 13:12:14 -0700 (PDT) Received: from [10.1.1.2] ([78.133.179.174]) by mx.google.com with ESMTPSA id y20sm2413952wiv.14.2014.05.26.13.12.13 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 26 May 2014 13:12:13 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) Subject: Re: ports/189666: devel/py-demjson: unfetchable due to rerolled tarball From: =?utf-8?Q?Bart=C5=82omiej_Rutkowski?= In-Reply-To: Date: Mon, 26 May 2014 22:12:12 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <201405260846.s4Q8kUdC079970@freefall.freebsd.org> <53839C13.4040405@marino.st> To: marino@freebsd.org X-Mailer: Apple Mail (2.1878.2) Cc: ports@robakdesign.com, freebsd-python@FreeBSD.org X-BeenThere: freebsd-python@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: FreeBSD-specific Python issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2014 20:12:22 -0000 Wiadomo=C5=9B=C4=87 napisana przez Bart=C5=82omiej Rutkowski = w dniu 26 maj 2014, o godz. 22:00: >=20 > Wiadomo=C5=9B=C4=87 napisana przez John Marino = w dniu 26 maj 2014, o godz. 21:54: >=20 >> On 5/26/2014 21:36, Bart=C5=82omiej Rutkowski wrote: >>> I've just mailed the upstream, explaining the situation and >>> suggesting releasing such changes as minor version numbers, like >>> 2.0.1 or something similar. We'll see what, if any response will I >>> receive, but for now, please, patch the port with new distinfo = you've >>> proposed. If this happens again and we wont get any answer by that >>> time, we'll consider hosting the distfiles or removing the port. >>=20 >> Hi Bartek, >> The issue is that I can't blindly update the distinfo. Somebody = (almost >> always the maintainer) has to "diff" the original version and the new >> version and evaluate exactly what changed and if it's malicious. >>=20 >> I already got chewed out last week for not verifying this personally, >> but I generally trust the maintainer if he/she said he did this. = Have >> you actually looked inside the new tarball? >>=20 >> Thanks, >> John >=20 > John, >=20 > Actually, this havent crossed my mind, that the distfiles could not = have been simply re-released due to malicious activity and only thought = this was because of bad practice, so I havent actually looked into the = tarball, but instead only checked it it builds correctly on all = supported system versions. I am well aware of the possible danger and = consequences but it just havent lighten the red light in my head this = time, sorry! >=20 > The author already replied to me, and I am in process of figuring out = what's going on - I'll update you as soon as I'll know anything. >=20 > Kind regards, > Bartek Rutkowski Like I said, the author already replied and is just as suprised as we = are, and says there was only one release he knows about, and that the = correct data for the distfile would be: 'size is 115914 with an md5 of = 12cdd65d6b993afe8a36abd1838c2fae'.=20 Unfortunately on my system I no longer have the distfile downloaded that = we had as a valid for last time: SHA256 (demjson-2.0.tar.gz) =3D = f5bc34800a0eb8be81a296e08e44e279c47ce72a2e4bb648be6b8bea4939ab34 SIZE (demjson-2.0.tar.gz) =3D 193281 and when I 'make makesum' right now, I am getting this: SHA256 (demjson-2.0.tar.gz) =3D = 24f638daa0c28a9d44db2282d46ea3edfd4c7d11a656e38677b741620bf1483d SIZE (demjson-2.0.tar.gz) =3D 115914 what perfectly matches what the author says it should be. I've asked him = if he can check his release system and distfiles providers to see if he = can spot any changes and if he can by any chance match our sum/size = that's incorrect to anything around there. Any chance you or anyone else have the 'bad' distfiles available on = their system for inspection? Kind regards, Bartek Rutkowski=