From owner-cvs-all@FreeBSD.ORG  Thu Apr  5 19:15:42 2012
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@FreeBSD.org
Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35])
	by hub.freebsd.org (Postfix) with ESMTP id 60D011065673;
	Thu,  5 Apr 2012 19:15:42 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from [127.0.0.1] (hub.freebsd.org [IPv6:2001:4f8:fff6::36])
	by mx2.freebsd.org (Postfix) with ESMTP id E5AB0151D92;
	Thu,  5 Apr 2012 19:15:41 +0000 (UTC)
Message-ID: <4F7DEF5D.9020908@FreeBSD.org>
Date: Thu, 05 Apr 2012 12:15:41 -0700
From: Doug Barton <dougb@FreeBSD.org>
Organization: http://www.FreeBSD.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
	rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Wesley Shields <wxs@FreeBSD.org>
References: <201204050650.q356o8No010393@repoman.freebsd.org>
	<20120405125508.GA99623@atarininja.org>
	<4F7DAD0F.9020504@FreeBSD.org>
	<20120405185209.GA4439@atarininja.org>
In-Reply-To: <20120405185209.GA4439@atarininja.org>
X-Enigmail-Version: 1.4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: Michael Scheidell <scheidell@FreeBSD.org>, cvs-ports@FreeBSD.org,
	cvs-all@FreeBSD.org, ports-committers@FreeBSD.org
Subject: Re: cvs commit: ports/www/gist Makefile distinfo
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: **OBSOLETE** CVS commit messages for the entire tree
	<cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2012 19:15:42 -0000

On 4/5/2012 11:52 AM, Wesley Shields wrote:

> When distfiles change it is normal for a committer to review what
> changed between the old and new and at least note that in the commit
> message.

It's not just normal, it's required.

In this situation I think that the commit should probably be backed out,
and the port marked BROKEN until the questions about the new distfile
can be adequately answered.

Doug

> The whole point is to avoid blindly updating distinfo with
> information from a trojaned copy.
> 
> Sadly with a 40x size increase it sounds like it may be a lot of review
> work. A workaround is to ask upstream for confirmation that the distfile
> was intentionally rerolled along with confirmation that the hash you
> have is correct. Bonus points if they can point you to a changelog to go
> along with the new distfile.
> 
> -- WXS
>