From owner-freebsd-ports@FreeBSD.ORG Sat Dec 19 08:02:15 2009 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB707106568B for ; Sat, 19 Dec 2009 08:02:15 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id 5D34F8FC0C for ; Sat, 19 Dec 2009 08:02:14 +0000 (UTC) Received: (qmail 10509 invoked by uid 399); 19 Dec 2009 08:02:14 -0000 Received: from localhost (HELO foreign.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 19 Dec 2009 08:02:14 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4B2C888A.6000006@FreeBSD.org> Date: Sat, 19 Dec 2009 00:02:18 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Thunderbird 2.0.0.23 (X11/20091206) MIME-Version: 1.0 To: Dominic Fandrey References: <4B2A52DB.5020602@bsdforen.de> <20091218065728.GC29158@lonesome.com> <4B2B681A.1090908@bsdforen.de> In-Reply-To: <4B2B681A.1090908@bsdforen.de> X-Enigmail-Version: 0.96.0 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Mark Linimon , freebsd-ports@freebsd.org Subject: Re: ioquake3 support more platforms X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2009 08:02:15 -0000 Dominic Fandrey wrote: > But that's not different for any port. E.g. sysutils/bsdadminscripts is > all mine, I create the distfiles and maintain the port, their is no > guarantee that I don't do evil apart from me being quite certain that > I don't. Mark already pointed out that maintainers and committers actually _do_ have a responsibility to dig into changes, be knowledgeable about upgrades, etc. I agree with his perspective on this. > Why can one assume that an ioquake release is safe? One really cannot. > It's made by the same people who maintain the non-trustworthy SVN. > > What if I created a sourceforge project freebsd-ioquake and published > my distfiles there as ioquake freebsd releases. Would it suddenly > turn trustworthy? The security problems involved in trying to audit a fixed, known set of files are miniscule compared to the problems involved in auditing a set of files that can change on a minute by minute basis. The whole concept of creating a FreeBSD port that checks source files out of a third-party svn repository is anathema to the whole concept of ports security. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/