From owner-svn-ports-all@FreeBSD.ORG Sat Apr 5 04:25:56 2014 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 179F1688; Sat, 5 Apr 2014 04:25:56 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ECD88B7B; Sat, 5 Apr 2014 04:25:55 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s354PtLx077021; Sat, 5 Apr 2014 04:25:55 GMT (envelope-from bdrewery@svn.freebsd.org) Received: (from bdrewery@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s354PtUn077019; Sat, 5 Apr 2014 04:25:55 GMT (envelope-from bdrewery@svn.freebsd.org) Message-Id: <201404050425.s354PtUn077019@svn.freebsd.org> From: Bryan Drewery Date: Sat, 5 Apr 2014 04:25:55 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r350191 - head/security/keybase X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 04:25:56 -0000 Author: bdrewery Date: Sat Apr 5 04:25:55 2014 New Revision: 350191 URL: http://svnweb.freebsd.org/changeset/ports/350191 QAT: https://qat.redports.org/buildarchive/r350191/ Log: - Update to 0.2.18 [1] - Remove need for npm at install time [2] - No longer bundle deps [2] - Add big warning on how little this project should be trusted 4 versions since previous 0.2.0 had security fixes, some of which were regresions from the chain. Non-security-marked fixes not listed here, see changelog [1]. 0.2.4 (2014-03-29) SECURITY NOTICE This release was flawed since it did not pull it dependencies with it. 0.2.7 (2014-03-29) SECURITY BUGFIX The previous releases, v0.2.5 and v0.2.6, had broken verification for website proofs. Fixed with an upgrade to proofs v0.0.15 0.2.13 (2014-04-01) SECURITY BUGFIX Don't show the GPG script used to generated keys when specifying -d, since it contains the users's password 0.2.14 (2014-04-02) SECURITY BUGFIX Sanity-check the server's proof text, in case it's cheating. Check to make sure that the only plausible proof is the one that we made, and that others aren't coming along for the ride. This check comes via keybase-proofs @v0.0.20. Changelog [1]: https://github.com/keybase/node-client/compare/v0.2.0...v0.2.18#diff-2 Submitted by: thierry [2] Modified: head/security/keybase/Makefile head/security/keybase/distinfo Modified: head/security/keybase/Makefile ============================================================================== --- head/security/keybase/Makefile Sat Apr 5 03:40:53 2014 (r350190) +++ head/security/keybase/Makefile Sat Apr 5 04:25:55 2014 (r350191) @@ -1,60 +1,29 @@ # $FreeBSD$ PORTNAME= keybase -DISTVERSION= v0.2.0 +PORTVERSION= 0.2.18 CATEGORIES= security -MASTER_SITES= GH \ +MASTER_SITES= https://dist.keybase.io/pkg/files/ \ LOCAL/bdrewery/${PORTNAME}/:DEFAULT,deps \ http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,deps -DISTFILES= ${DISTNAME}${EXTRACT_SUFX} \ - ${DEP_DIST}:deps +EXTRACT_SUFX= .tgz MAINTAINER= bdrewery@freebsd.org COMMENT= Keybase.io client LICENSE= BSD3CLAUSE -BUILD_DEPENDS= npm>=0:${PORTSDIR}/www/npm RUN_DEPENDS= node>=0:${PORTSDIR}/www/node \ gpg:${PORTSDIR}/security/gnupg -# Must bundle deps. -# 1. They are not in ports and doing so creates a large complex task with little -# benefit requiring a lot of maintenance. Hopefully someday we will have -# an npm wrapper similar to BSDPAN. -# 2. npm has absolutely no way to fetch dependencies without installing at the -# same time so this would not build on poudriere due to network restrictions -# outside of 'fetch' phase. See https://github.com/npm/npm/issues/2817 -# 3. A date is used as dependencies can upgrade even without keybase changing -# anything due to dependency patterns not binding to specific versions in -# package.json. I.e., even if the problem of fetching dependencies is -# solved, we want this package to be reproducible. -DEP_DIST_DATE= 20140327 -DEP_DIST_DFMT= %Y%m%d -DEP_DIST_PRE= ${PORTNAME}-deps-${PORTVERSION}-${GH_COMMIT}- -DEP_DIST_POST= .txz -DEP_DIST= ${DEP_DIST_PRE}${DEP_DIST_DATE}${DEP_DIST_POST} - -USE_GITHUB= yes -GH_ACCOUNT= keybase -GH_PROJECT= node-client -GH_COMMIT= 9509986 +WRKSRC= ${WRKDIR}/package +NO_ARCH= yes +NO_BUILD= yes +# Install it a private place instead of polluting lib/node_modules +# which npm(1) owns and will upgrade beneath pkg(8) control. KEYBASE_PREFIX= ${PREFIX}/libexec/${PORTNAME} -# Generate dependency distfile. This is only used by maintainer. -makedeps: patch - cd ${WRKSRC} && \ - ${RM} -rf node_modules && \ - dep_fname="${DEP_DIST_PRE}`/bin/date '+${DEP_DIST_DFMT}'`${DEP_DIST_POST}" && \ - tar -cJf $${dep_fname} node_modules/ && \ - ${MV} -f $${dep_fname} ${_DISTDIR}/ && \ - cd ${.CURDIR} && \ - ${MAKE} makesum - -post-extract: - @${MV} ${WRKDIR}/node_modules ${WRKSRC}/node_modules - add-plist-post: npm-auto-plist npm-auto-plist: @@ -66,8 +35,10 @@ npm-auto-plist: do-install: @${MKDIR} ${WRKDIR}/tmp ${STAGEDIR}${KEYBASE_PREFIX}/lib - cd ${STAGEDIR}${KEYBASE_PREFIX}/lib && ${SETENV} HOME=${WRKDIR}/tmp \ - ${LOCALBASE}/bin/npm install ${WRKSRC} + (cd ${WRKSRC} && \ + ${COPYTREE_SHARE} \* \ + ${STAGEDIR}${KEYBASE_PREFIX}/lib/node_modules/${PORTNAME}) + ${CHMOD} +x ${STAGEDIR}${KEYBASE_PREFIX}/lib/node_modules/${PORTNAME}/bin/main.js ${LN} -s ${KEYBASE_PREFIX}/lib/node_modules/${PORTNAME}/bin/main.js \ ${STAGEDIR}${PREFIX}/bin/${PORTNAME} Modified: head/security/keybase/distinfo ============================================================================== --- head/security/keybase/distinfo Sat Apr 5 03:40:53 2014 (r350190) +++ head/security/keybase/distinfo Sat Apr 5 04:25:55 2014 (r350191) @@ -1,4 +1,2 @@ -SHA256 (keybase-v0.2.0.tar.gz) = 4ca20da5e5f371e63521a838416da73ff54deeae7c71a1441670f9322ddbe723 -SIZE (keybase-v0.2.0.tar.gz) = 594085 -SHA256 (keybase-deps-v0.2.0-9509986-20140327.txz) = 886220149b109ac1face08976837259f7a021f08c02e663d637327b546adbb08 -SIZE (keybase-deps-v0.2.0-9509986-20140327.txz) = 1946868 +SHA256 (keybase-0.2.18.tgz) = fd89326a60274b64401247f2b13d5b17ca8432eb4b458a7cec997d59ccdf6ce0 +SIZE (keybase-0.2.18.tgz) = 3727320