Date: Mon, 19 Aug 2013 08:29:51 +0200 From: John Marino <freebsd.contact@marino.st> To: Bryan Drewery <bdrewery@FreeBSD.org> Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r324901 - head/biology/tinker Message-ID: <5211BB5F.40306@marino.st> In-Reply-To: <52114BFE.3010302@FreeBSD.org> References: <201308181138.r7IBcZdA083649@svn.freebsd.org> <5210C446.8080908@FreeBSD.org> <521116E3.7030403@marino.st> <52114BFE.3010302@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/19/2013 00:34, Bryan Drewery wrote: > On 8/18/2013 1:48 PM, John Marino wrote: >> On 8/18/2013 14:55, Bryan Drewery wrote: >>> On 8/18/2013 6:38 AM, John Marino wrote: >>>> Author: marino >>>> Date: Sun Aug 18 11:38:34 2013 >>>> New Revision: 324901 >>>> URL: http://svnweb.freebsd.org/changeset/ports/324901 >>>> >>>> Log: >>>> biology/tinker: Regenerate distinfo to unbreak fetch >>>> >>>> Apparently the distfile was rerolled. The sizes of the file are only a few >>>> bytes apart. Since the master site never changed, it's reasonable just to >>>> regenerate the distinfo and bump the PORTREVISION. >>>> >>> >>> *exactly* what changed is needed to be known before we update the >>> distinfo. Did you do a comparison between the two tarballs? >> >> As I mentioned in the commit message, I couldn't obtain the first >> version. I didn't have it in any cache. Perhaps only the submitter of >> the PR 180518 could have done this. > > I read the message the first time and it's not a valid justification. > The size could be the same (and different checksum) and have a backdoor. It looks like I omitted explicitly stating that the original tarball could not be located. I thought I wrote that but I guess it was only implied. >> However, after committing, I realized I could have compared 6.2.06 with >> the previous version 6.2.05 which I did have. In any case, the tarball >> is from the same master site and this port has been broken for more 30 >> days. Had the tarball been compromised, it very likely would have been >> caught in such a long time. So do we trust the site or not? > > We trust nothing. Upstreams can be compromised for *years* and not be known. Had the PR to update to 6.2.06 come just a few days later, the author would have used the same tarball. So it would have been the exact same case as now. The plist matches so any backdoor would have been likely undetected as well. However, I'll try to email somebody over there to confirm they rerolled it, and try to get them to say why. John
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5211BB5F.40306>