Date: Tue, 8 Apr 2014 14:08:12 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r350618 - branches/2014Q2/security/keybase Message-ID: <201404081408.s38E8C9m041565@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery Date: Tue Apr 8 14:08:12 2014 New Revision: 350618 URL: http://svnweb.freebsd.org/changeset/ports/350618 QAT: https://qat.redports.org/buildarchive/r350618/ Log: MFH: r350191 - Update to 0.2.18 [1] - Remove need for npm at install time [2] - No longer bundle deps [2] - Add big warning on how little this project should be trusted 4 versions since previous 0.2.0 had security fixes, some of which were regresions from the chain. Non-security-marked fixes not listed here, see changelog [1]. 0.2.4 (2014-03-29) SECURITY NOTICE This release was flawed since it did not pull it dependencies with it. 0.2.7 (2014-03-29) SECURITY BUGFIX The previous releases, v0.2.5 and v0.2.6, had broken verification for website proofs. Fixed with an upgrade to proofs v0.0.15 0.2.13 (2014-04-01) SECURITY BUGFIX Don't show the GPG script used to generated keys when specifying -d, since it contains the users's password 0.2.14 (2014-04-02) SECURITY BUGFIX Sanity-check the server's proof text, in case it's cheating. Check to make sure that the only plausible proof is the one that we made, and that others aren't coming along for the ride. This check comes via keybase-proofs @v0.0.20. Changelog [1]: https://github.com/keybase/node-client/compare/v0.2.0...v0.2.18#diff-2 Submitted by: thierry [2] Modified: branches/2014Q2/security/keybase/Makefile branches/2014Q2/security/keybase/distinfo Directory Properties: branches/2014Q2/ (props changed) Modified: branches/2014Q2/security/keybase/Makefile ============================================================================== --- branches/2014Q2/security/keybase/Makefile Tue Apr 8 14:04:16 2014 (r350617) +++ branches/2014Q2/security/keybase/Makefile Tue Apr 8 14:08:12 2014 (r350618) @@ -1,60 +1,29 @@ # $FreeBSD$ PORTNAME= keybase -DISTVERSION= v0.2.0 +PORTVERSION= 0.2.18 CATEGORIES= security -MASTER_SITES= GH \ +MASTER_SITES= https://dist.keybase.io/pkg/files/ \ LOCAL/bdrewery/${PORTNAME}/:DEFAULT,deps \ http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,deps -DISTFILES= ${DISTNAME}${EXTRACT_SUFX} \ - ${DEP_DIST}:deps +EXTRACT_SUFX= .tgz MAINTAINER= bdrewery@freebsd.org COMMENT= Keybase.io client LICENSE= BSD3CLAUSE -BUILD_DEPENDS= npm>=0:${PORTSDIR}/www/npm RUN_DEPENDS= node>=0:${PORTSDIR}/www/node \ gpg:${PORTSDIR}/security/gnupg -# Must bundle deps. -# 1. They are not in ports and doing so creates a large complex task with little -# benefit requiring a lot of maintenance. Hopefully someday we will have -# an npm wrapper similar to BSDPAN. -# 2. npm has absolutely no way to fetch dependencies without installing at the -# same time so this would not build on poudriere due to network restrictions -# outside of 'fetch' phase. See https://github.com/npm/npm/issues/2817 -# 3. A date is used as dependencies can upgrade even without keybase changing -# anything due to dependency patterns not binding to specific versions in -# package.json. I.e., even if the problem of fetching dependencies is -# solved, we want this package to be reproducible. -DEP_DIST_DATE= 20140327 -DEP_DIST_DFMT= %Y%m%d -DEP_DIST_PRE= ${PORTNAME}-deps-${PORTVERSION}-${GH_COMMIT}- -DEP_DIST_POST= .txz -DEP_DIST= ${DEP_DIST_PRE}${DEP_DIST_DATE}${DEP_DIST_POST} - -USE_GITHUB= yes -GH_ACCOUNT= keybase -GH_PROJECT= node-client -GH_COMMIT= 9509986 +WRKSRC= ${WRKDIR}/package +NO_ARCH= yes +NO_BUILD= yes +# Install it a private place instead of polluting lib/node_modules +# which npm(1) owns and will upgrade beneath pkg(8) control. KEYBASE_PREFIX= ${PREFIX}/libexec/${PORTNAME} -# Generate dependency distfile. This is only used by maintainer. -makedeps: patch - cd ${WRKSRC} && \ - ${RM} -rf node_modules && \ - dep_fname="${DEP_DIST_PRE}`/bin/date '+${DEP_DIST_DFMT}'`${DEP_DIST_POST}" && \ - tar -cJf $${dep_fname} node_modules/ && \ - ${MV} -f $${dep_fname} ${_DISTDIR}/ && \ - cd ${.CURDIR} && \ - ${MAKE} makesum - -post-extract: - @${MV} ${WRKDIR}/node_modules ${WRKSRC}/node_modules - add-plist-post: npm-auto-plist npm-auto-plist: @@ -66,8 +35,10 @@ npm-auto-plist: do-install: @${MKDIR} ${WRKDIR}/tmp ${STAGEDIR}${KEYBASE_PREFIX}/lib - cd ${STAGEDIR}${KEYBASE_PREFIX}/lib && ${SETENV} HOME=${WRKDIR}/tmp \ - ${LOCALBASE}/bin/npm install ${WRKSRC} + (cd ${WRKSRC} && \ + ${COPYTREE_SHARE} \* \ + ${STAGEDIR}${KEYBASE_PREFIX}/lib/node_modules/${PORTNAME}) + ${CHMOD} +x ${STAGEDIR}${KEYBASE_PREFIX}/lib/node_modules/${PORTNAME}/bin/main.js ${LN} -s ${KEYBASE_PREFIX}/lib/node_modules/${PORTNAME}/bin/main.js \ ${STAGEDIR}${PREFIX}/bin/${PORTNAME} Modified: branches/2014Q2/security/keybase/distinfo ============================================================================== --- branches/2014Q2/security/keybase/distinfo Tue Apr 8 14:04:16 2014 (r350617) +++ branches/2014Q2/security/keybase/distinfo Tue Apr 8 14:08:12 2014 (r350618) @@ -1,4 +1,2 @@ -SHA256 (keybase-v0.2.0.tar.gz) = 4ca20da5e5f371e63521a838416da73ff54deeae7c71a1441670f9322ddbe723 -SIZE (keybase-v0.2.0.tar.gz) = 594085 -SHA256 (keybase-deps-v0.2.0-9509986-20140327.txz) = 886220149b109ac1face08976837259f7a021f08c02e663d637327b546adbb08 -SIZE (keybase-deps-v0.2.0-9509986-20140327.txz) = 1946868 +SHA256 (keybase-0.2.18.tgz) = fd89326a60274b64401247f2b13d5b17ca8432eb4b458a7cec997d59ccdf6ce0 +SIZE (keybase-0.2.18.tgz) = 3727320
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404081408.s38E8C9m041565>