From owner-svn-ports-all@FreeBSD.ORG Mon Aug 19 06:30:21 2013 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id B759616A; Mon, 19 Aug 2013 06:30:21 +0000 (UTC) (envelope-from freebsd.contact@marino.st) Received: from shepard.synsport.net (mail.synsport.com [208.69.230.148]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8FA51253E; Mon, 19 Aug 2013 06:30:20 +0000 (UTC) Received: from [10.31.9.114] (unknown [213.225.137.129]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by shepard.synsport.net (Postfix) with ESMTP id 56AFD438BD; Mon, 19 Aug 2013 01:30:03 -0500 (CDT) Message-ID: <5211BB5F.40306@marino.st> Date: Mon, 19 Aug 2013 08:29:51 +0200 From: John Marino User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: Bryan Drewery Subject: Re: svn commit: r324901 - head/biology/tinker References: <201308181138.r7IBcZdA083649@svn.freebsd.org> <5210C446.8080908@FreeBSD.org> <521116E3.7030403@marino.st> <52114BFE.3010302@FreeBSD.org> In-Reply-To: <52114BFE.3010302@FreeBSD.org> X-Enigmail-Version: 1.5.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: marino@freebsd.org List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Aug 2013 06:30:21 -0000 On 8/19/2013 00:34, Bryan Drewery wrote: > On 8/18/2013 1:48 PM, John Marino wrote: >> On 8/18/2013 14:55, Bryan Drewery wrote: >>> On 8/18/2013 6:38 AM, John Marino wrote: >>>> Author: marino >>>> Date: Sun Aug 18 11:38:34 2013 >>>> New Revision: 324901 >>>> URL: http://svnweb.freebsd.org/changeset/ports/324901 >>>> >>>> Log: >>>> biology/tinker: Regenerate distinfo to unbreak fetch >>>> >>>> Apparently the distfile was rerolled. The sizes of the file are only a few >>>> bytes apart. Since the master site never changed, it's reasonable just to >>>> regenerate the distinfo and bump the PORTREVISION. >>>> >>> >>> *exactly* what changed is needed to be known before we update the >>> distinfo. Did you do a comparison between the two tarballs? >> >> As I mentioned in the commit message, I couldn't obtain the first >> version. I didn't have it in any cache. Perhaps only the submitter of >> the PR 180518 could have done this. > > I read the message the first time and it's not a valid justification. > The size could be the same (and different checksum) and have a backdoor. It looks like I omitted explicitly stating that the original tarball could not be located. I thought I wrote that but I guess it was only implied. >> However, after committing, I realized I could have compared 6.2.06 with >> the previous version 6.2.05 which I did have. In any case, the tarball >> is from the same master site and this port has been broken for more 30 >> days. Had the tarball been compromised, it very likely would have been >> caught in such a long time. So do we trust the site or not? > > We trust nothing. Upstreams can be compromised for *years* and not be known. Had the PR to update to 6.2.06 come just a few days later, the author would have used the same tarball. So it would have been the exact same case as now. The plist matches so any backdoor would have been likely undetected as well. However, I'll try to email somebody over there to confirm they rerolled it, and try to get them to say why. John