From owner-cvs-all@FreeBSD.ORG Tue Dec 14 03:08:09 2010 Return-Path: Delivered-To: cvs-all@FreeBSD.org Received: by hub.freebsd.org (Postfix, from userid 1033) id A0E251065672; Tue, 14 Dec 2010 03:08:09 +0000 (UTC) Date: Tue, 14 Dec 2010 03:08:09 +0000 From: Alexey Dokuchaev To: Wesley Shields Message-ID: <20101214030809.GB20090@FreeBSD.org> References: <201012130437.oBD4bHEq008860@repoman.freebsd.org> <20101213164130.GA48218@atarininja.org> <4D06639E.1080405@p6m7g8.com> <20101213183453.GA27831@atarininja.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20101213183453.GA27831@atarininja.org> User-Agent: Mutt/1.4.2.1i Cc: "Philip M. Gollucci" , cvs-ports@FreeBSD.org, "Philip M. Gollucci" , cvs-all@FreeBSD.org, ports-committers@FreeBSD.org Subject: Re: cvs commit: ports/chinese/ibus-chewing distinfo X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: **OBSOLETE** CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2010 03:08:09 -0000 On Mon, Dec 13, 2010 at 01:34:53PM -0500, Wesley Shields wrote: > On Mon, Dec 13, 2010 at 06:19:10PM +0000, Philip M. Gollucci wrote: > > On 12/13/10 16:41, Wesley Shields wrote: > > > On Mon, Dec 13, 2010 at 04:37:17AM +0000, Philip M. Gollucci wrote: > > >> pgollucci 2010-12-13 04:37:17 UTC > > >> > > >> Modified files: > > >> chinese/ibus-chewing distinfo > > >> Log: > > >> - Fix checksum > > > > > > I thought it was a good idea to state what changed when a distfile was > > > re-rolled without a version bump. > > > > Well it is, but they re-rolled inbetween my tb test, commit and QAT > > processing it. I can go digg it up but I was just trying to fix the QAT > > nag mail at the time. > > I'm not requesting that you do that, but it could potentially be a > malicious distfile now. We need to be extra careful not to propagate > those if we can help it, hence the suggestion to document what was > changed in order to show due diligence. > > I realize the chances of this one being malicious is small, but it is > best to diff the two before commit, even if QAT is angry at you. It does not matter how low are chances. It is clearly *required* (both by common sense and our policy) to manually review any differences in distfiles when checksum silently changes without obvious reason. Confirming with upstream developer/maintainer is also good thing to do. I am surprised we even need to discuss these things. ./danfe