From owner-cvs-all Sun Jul 22 23:50: 6 2001 Delivered-To: cvs-all@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-215.dsl.lsan03.pacbell.net [63.207.60.215]) by hub.freebsd.org (Postfix) with ESMTP id EDF7D37B409; Sun, 22 Jul 2001 23:49:57 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id A66DC66CC1; Sun, 22 Jul 2001 23:49:56 -0700 (PDT) Date: Sun, 22 Jul 2001 23:49:56 -0700 From: Kris Kennaway To: Warner Losh Cc: "Dmitry S. Sivachenko" , Kris Kennaway , Mario Sergio Fujikawa Ferreira , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/games/hlserver-wasteland Makefile distinfo Message-ID: <20010722234955.A96953@xor.obsecurity.org> References: <20010723100327.A19055@netserv1.chg.ru> <200107212120.f6LLKq561496@freefall.freebsd.org> <20010721144135.A90359@xor.obsecurity.org> <20010723100327.A19055@netserv1.chg.ru> <200107230626.f6N6QGo87352@harmony.village.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107230626.f6N6QGo87352@harmony.village.org>; from imp@harmony.village.org on Mon, Jul 23, 2001 at 12:26:16AM -0600 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 23, 2001 at 12:26:16AM -0600, Warner Losh wrote: > In message <20010723100327.A19055@netserv1.chg.ru> "Dmitry S. Sivachenko"= writes: > : If you trust the distfile with version bump (you do, I think), > : there is no reason to pay special attention to distfile without version= bump, > : IMHO. >=20 > Because people generally audit the version bumbs more, notice rogue > versions more, etc. Silently replacing foo-1.1.tar.gz with > foo-1.1.tar.gz has been used in the past to introduce trojan horses. > Kris is trying to guard against that. Yes; basically, it's considered more likely that unauthorised security holes will show up in a distfile which is changed with no version change than one which changes as part of a new version release. In an ideal world, we'd audit all port upgrades, but resources are very finite so we make do as best we can by covering the most dangerous cases. Kris --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7W8kTWry0BWjoQKURApiEAKCII8+8pNJJBzFpDdRVNJnhW3Da9gCfc7lz 2Eb0UsrpktviQ6Q2hmdZcmQ= =cZe9 -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message