Date: Tue, 17 Feb 2004 14:20:46 +0100 From: Michael Nottebrock <michaelnottebrock@gmx.net> To: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Cc: Kris Kennaway <kris@obsecurity.org> Subject: Re: cvs commit: ports/devel/tmake Makefile distinfo Message-ID: <200402171420.47274.michaelnottebrock@gmx.net> In-Reply-To: <xzpr7wtn98t.fsf@dwp.des.no> References: <200402091336.i19Da8nQ019809@repoman.freebsd.org> <200402171404.30701.michaelnottebrock@gmx.net> <xzpr7wtn98t.fsf@dwp.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-02=_vUhMAiGjiDz4qQi Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 17 February 2004 14:09, Dag-Erling Sm=F8rgrav wrote: > Michael Nottebrock <michaelnottebrock@gmx.net> writes: > > On Tuesday 17 February 2004 13:49, Kris Kennaway wrote: > > > On Mon, Feb 09, 2004 at 02:07:32PM -0800, Kris Kennaway wrote: > > > > On Mon, Feb 09, 2004 at 05:36:08AM -0800, Michael Nottebrock wrote: > > > > > Log: > > > > > Fix distinfo, SIZEify. > > > > > > > > You forgot to summarize what changed. > > > > > > I didn't see a followup to this. > > > > I have no idea what you expect me to write. > > When the checksum of a distfile changes, there is a considerable risk > that someone may have trojaned the distfile. As a port maintainer, > you are exptected to verify that this is not the case before updating > the checksum in distinfo. You are also expected to summarize the > reason for the changed checksum in the commit message so that The Rest > Of Us[tm] can rest assured that you have indeed verified that the > distfile was not trojaned. I didn't know that I was supposed to perform a security audit and I did not= do=20 so. So if anyone happens to have the old distfile still around, please send= =20 it my way, cause I don't. I suggest next time instead of marking a port as= =20 BROKEN=3D Checksum mismatch, mark it as BROKEN=3D Needs security audit so I= won't=20 be tempted to fix it. =2D-=20 ,_, | Michael Nottebrock | lofi@freebsd.org (/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org \u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org --Boundary-02=_vUhMAiGjiDz4qQi Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAMhUvXhc68WspdLARAnPSAKCAtb2goFx2SZH49kLV5+Glbjtl2gCggllE Z3wSsWJ+mCSb5F91C69PHxk= =3WG4 -----END PGP SIGNATURE----- --Boundary-02=_vUhMAiGjiDz4qQi--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200402171420.47274.michaelnottebrock>