Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 5 Apr 2012 14:52:09 -0400
From:      Wesley Shields <wxs@FreeBSD.org>
To:        Michael Scheidell <scheidell@FreeBSD.org>
Cc:        cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org
Subject:   Re: cvs commit: ports/www/gist Makefile distinfo
Message-ID:  <20120405185209.GA4439@atarininja.org>
In-Reply-To: <4F7DAD0F.9020504@FreeBSD.org>
References:  <201204050650.q356o8No010393@repoman.freebsd.org> <20120405125508.GA99623@atarininja.org> <4F7DAD0F.9020504@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 05, 2012 at 10:32:47AM -0400, Michael Scheidell wrote:
> 
> 
> On 4/5/12 8:55 AM, Wesley Shields wrote:
> >> because size of distfile changed radically
> > Did you take a look at the differences between the old and new distfile?
> > We need to always be vigilant of distfiles changing out from under us
> > and carefully review the changes before we commit the update.
> >
> which is why I added that to the maintainers log.

What is the maintainers log? I don't see anything in the PR audit trail
about this, so you can't be talking about that.

> It was radically different, as you can see by the diffs for distinfo.
> 'distfile changing'?  That was why the maintainer posted the pr, 
> specifically with distfile changing.

How radically different? What was changed? Was it reviewed by you?

> I watch for (and won't take a pr for) a new-port that uses things like 
> 'dropbox/' megaupload :-) or personal accounts (well, maybe 
> people.freebsd.org).
> I have had people tell me they have to use a personal account because 
> the tarball is not available, and they need to 'git' the source.

I agree with you, but that's not relevant here.

> I have had my ports pr's rejected by a maintainer/committer because the 
> PATCH was in people.freebsd.org/~scheidell (and, pointing to the 
> authoritative source as primary.. waiting for the primary source mirrors 
> to catch up.)

OK, but also not relevant.

> in this case, what should I have done? new distfile is 40x the size of 
> the  original ?  yeh, its radically changed. no, the maintainer didn't 
> say it was radically changed, I did.

When distfiles change it is normal for a committer to review what
changed between the old and new and at least note that in the commit
message. The whole point is to avoid blindly updating distinfo with
information from a trojaned copy.

Sadly with a 40x size increase it sounds like it may be a lot of review
work. A workaround is to ask upstream for confirmation that the distfile
was intentionally rerolled along with confirmation that the hash you
have is correct. Bonus points if they can point you to a changelog to go
along with the new distfile.

-- WXS



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120405185209.GA4439>