From owner-cvs-all  Mon Jul 23  0:18:19 2001
Delivered-To: cvs-all@freebsd.org
Received: from chg.ru (netserv1.chg.ru [193.233.46.3])
	by hub.freebsd.org (Postfix) with ESMTP
	id BAD0137B403; Mon, 23 Jul 2001 00:18:11 -0700 (PDT)
	(envelope-from dima@chg.ru)
Received: (from dima@localhost)
	by chg.ru (8.9.3/8.9.3) id LAA23187;
	Mon, 23 Jul 2001 11:17:57 +0400 (MSD)
	(envelope-from dima)
Date: Mon, 23 Jul 2001 11:17:57 +0400
From: "Dmitry S. Sivachenko" <dima@Chg.RU>
To: Kris Kennaway <kris@obsecurity.org>
Cc: Warner Losh <imp@harmony.village.org>,
	"Dmitry S. Sivachenko" <dima@Chg.RU>,
	Mario Sergio Fujikawa Ferreira <lioux@FreeBSD.org>,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: ports/games/hlserver-wasteland Makefile distinfo
Message-ID: <20010723111757.B23079@netserv1.chg.ru>
References: <20010723100327.A19055@netserv1.chg.ru> <200107212120.f6LLKq561496@freefall.freebsd.org> <20010721144135.A90359@xor.obsecurity.org> <20010723100327.A19055@netserv1.chg.ru> <200107230626.f6N6QGo87352@harmony.village.org> <20010722234955.A96953@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <20010722234955.A96953@xor.obsecurity.org>; from kris@obsecurity.org on Sun, Jul 22, 2001 at 11:49:56PM -0700
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

On Sun, Jul 22, 2001 at 11:49:56PM -0700, Kris Kennaway wrote:
> On Mon, Jul 23, 2001 at 12:26:16AM -0600, Warner Losh wrote:
> > In message <20010723100327.A19055@netserv1.chg.ru> "Dmitry S. Sivachenko" writes:
> > : If you trust the distfile with version bump (you do, I think),
> > : there is no reason to pay special attention to distfile without version bump,
> > : IMHO.
> > 
> > Because people generally audit the version bumbs more, notice rogue
> > versions more, etc.  Silently replacing foo-1.1.tar.gz with
> > foo-1.1.tar.gz has been used in the past to introduce trojan horses.
> > Kris is trying to guard against that.
> 
> Yes; basically, it's considered more likely that unauthorised security
> holes will show up in a distfile which is changed with no version
> change than one which changes as part of a new version release.  In an
> ideal world, we'd audit all port upgrades, but resources are very
> finite so we make do as best we can by covering the most dangerous
> cases.
> 

OK, noted.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message