Date: Sun, 18 Aug 2013 17:34:38 -0500 From: Bryan Drewery <bdrewery@FreeBSD.org> To: marino@freebsd.org Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, John Marino <freebsd.contact@marino.st>, ports-committers@freebsd.org Subject: Re: svn commit: r324901 - head/biology/tinker Message-ID: <52114BFE.3010302@FreeBSD.org> In-Reply-To: <521116E3.7030403@marino.st> References: <201308181138.r7IBcZdA083649@svn.freebsd.org> <5210C446.8080908@FreeBSD.org> <521116E3.7030403@marino.st>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --XgRdLPBIt06qp2IeDoR7req3Axcr3teSK Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 8/18/2013 1:48 PM, John Marino wrote: > On 8/18/2013 14:55, Bryan Drewery wrote: >> On 8/18/2013 6:38 AM, John Marino wrote: >>> Author: marino >>> Date: Sun Aug 18 11:38:34 2013 >>> New Revision: 324901 >>> URL: http://svnweb.freebsd.org/changeset/ports/324901 >>> >>> Log: >>> biology/tinker: Regenerate distinfo to unbreak fetch >>> =20 >>> Apparently the distfile was rerolled. The sizes of the file are on= ly a few >>> bytes apart. Since the master site never changed, it's reasonable = just to >>> regenerate the distinfo and bump the PORTREVISION. >>> =20 >> >> *exactly* what changed is needed to be known before we update the >> distinfo. Did you do a comparison between the two tarballs? >=20 > As I mentioned in the commit message, I couldn't obtain the first > version. I didn't have it in any cache. Perhaps only the submitter of= > the PR 180518 could have done this. I read the message the first time and it's not a valid justification. The size could be the same (and different checksum) and have a backdoor. >=20 > However, after committing, I realized I could have compared 6.2.06 with= > the previous version 6.2.05 which I did have. In any case, the tarball= > is from the same master site and this port has been broken for more 30 > days. Had the tarball been compromised, it very likely would have been= > caught in such a long time. So do we trust the site or not? We trust nothing. Upstreams can be compromised for *years* and not be kno= wn. >=20 > John >=20 --=20 Regards, Bryan Drewery --XgRdLPBIt06qp2IeDoR7req3Axcr3teSK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSEUv+AAoJEG54KsA8mwz5kqsP/3MFGvey0T+pxF7nGpIUgRS2 E6+JZrf5gnzu7Ws/QN7vTAGEINhWWBST4dXDcS+imqOU1iXhTvBBGVNzImcEtngP NsRvk4yWkV/HD4rUgXmjauYh/e2YUoOdc/K9g8iFNAbg8VKwleqZu/AkNoYYECqx SZxS39ZxOp+0Mazx+4TzW9UakiEujGaME7GjOZj3kPfzkr6ms94ojRVafBXsmyGH rNBVJSWR4pIfMLYBfLURXCbaz75C2r/aDC0T/kNkyFGd8eNbkfMOJSx0LxasNjC3 pGDv+SmaMJEB/110mrSO7W4v5J/Lpp4ZO2QL+H/yHxgUNHJmV2M5/rM0Gbc0vSd1 +SO1ADGTCHd37W3rlumWj0vtyI2flBQfBfTa+xcv4C8jRCaxCE09B8/JmAZ1U/Ud L7/8JaXHa6eYHdTxtUIShhGFiYjxdjRhYmSUqcEceD8ubE1wF4il9DaRr64T+mW/ PuAT/pseUhMRp0BsXG+brhKVUKEgWq0j8i/3DptyTFaLPBFT0ZodyoigOa77Cc1O aUHWG4ydSFbayonVOloxDs/VSYw4xqKEiKD5T4BfQFPLM3upOMR1JtOzWojzg2Qd dBr3cPA+/YH/984h6rqmOSDA31fnCoyAZg8XXC+tTOpZDV5ZshuM0KPeo5wGgn+v dfr6IWaD1TmQo+CQSqdY =11+n -----END PGP SIGNATURE----- --XgRdLPBIt06qp2IeDoR7req3Axcr3teSK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52114BFE.3010302>