Date: Thu, 05 Apr 2012 12:15:41 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Wesley Shields <wxs@FreeBSD.org> Cc: Michael Scheidell <scheidell@FreeBSD.org>, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org Subject: Re: cvs commit: ports/www/gist Makefile distinfo Message-ID: <4F7DEF5D.9020908@FreeBSD.org> In-Reply-To: <20120405185209.GA4439@atarininja.org> References: <201204050650.q356o8No010393@repoman.freebsd.org> <20120405125508.GA99623@atarininja.org> <4F7DAD0F.9020504@FreeBSD.org> <20120405185209.GA4439@atarininja.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/5/2012 11:52 AM, Wesley Shields wrote: > When distfiles change it is normal for a committer to review what > changed between the old and new and at least note that in the commit > message. It's not just normal, it's required. In this situation I think that the commit should probably be backed out, and the port marked BROKEN until the questions about the new distfile can be adequately answered. Doug > The whole point is to avoid blindly updating distinfo with > information from a trojaned copy. > > Sadly with a 40x size increase it sounds like it may be a lot of review > work. A workaround is to ask upstream for confirmation that the distfile > was intentionally rerolled along with confirmation that the hash you > have is correct. Bonus points if they can point you to a changelog to go > along with the new distfile. > > -- WXS >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F7DEF5D.9020908>