Date: Sat, 4 Jul 2015 12:40:25 +1000 From: Kubilay Kocak <koobs@FreeBSD.org> To: "Sergey A. Osokin" <osa@FreeBSD.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r391254 - in head/www: nginx nginx-devel Message-ID: <55974799.8050907@FreeBSD.org> In-Reply-To: <20150703231507.GC24716@FreeBSD.org> References: <201507031644.t63GixME014247@repo.freebsd.org> <20150703172909.GB24716@FreeBSD.org> <5596CE3C.5000801@FreeBSD.org> <20150703231507.GC24716@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/07/2015 9:15 AM, Sergey A. Osokin wrote: > On Sat, Jul 04, 2015 at 04:02:36AM +1000, Kubilay Kocak wrote: >> On 4/07/2015 3:29 AM, Sergey A. Osokin wrote: >>> Dear Kubilay, >>> >>> I didn't approve this change, so, I have at least two questions here: >> >> I believe the tag was moved 11 days ago and the issue (PR) created 7 >> days ago. A number of users had reported the issue today as ongoing, >> which is when I found the bugzilla issue. I had assumed you weren't >> otherwise available and wanted to help. > > Have you asked those users to add "+1" to PR 201129? I did not, but I will next time. Would this have made my unapproved commit more OK? >>> 1. have you checked what actually has been changed? Is there any chance to see >>> the diff between old distro and new one? >> >> I did not, I considered it the same as I would have a normal version >> bump of a module, except in this case the distinfo checksum mismatch was >> caused by upstream moving a tag, not a maintainer forgetting to run makesum. > > Well, I don't think that this is good idea to commit every change to the "super popular > software packages", what I've heard in the PR. The change in question was only to address a two week broken build. I certainly agree, and do not subscribe to 'committing every change' outside of normal processed. Re-rolled distfiles and re-tagged git repositories are a regular occurrence, with a standard fix. > The size/SHA256 mismatch in third-party headers_more module has been acquired probably > because of the module's author mistake (but I think he thought he did his best): he's > changed something in source code after the creation of the release tag. > > Another version a bit paranoid, but anyway: somebody hacked a github account, committed > a troyan, re-created the tag and Kubilay added that troyan into FreeBSD ports tree. > Actually this is why I'm asking you to show the changes between versions. Agree with you on the potential risks. I did check commit history, I didnt review code. > In my point of view, I'd highly recommend to ask the module's author about change, > create new release with that change. feld@ created the following issue, to which I've added a comment requesting documentation of the changes: https://github.com/openresty/headers-more-nginx-module/issues/35 >> I don't know how to see how/where a tag was moved between commits, so as >> to derive a changeset. >> >> It would be nice to know if there is a way. >> >>> 2. the third-party headers_more undefined by default, so PORTREVISION bump >>> isn't necessary in this case. >> >> Understood. I had originally thought that since the distinfo was >> packaged, and that the contents was changing, that it may have been >> required. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55974799.8050907>