Date: Sat, 19 Dec 2009 15:59:35 +0100 From: Dominic Fandrey <kamikaze@bsdforen.de> To: Doug Barton <dougb@FreeBSD.org> Cc: Mark Linimon <linimon@lonesome.com>, freebsd-ports@freebsd.org Subject: Re: ioquake3 support more platforms Message-ID: <4B2CEA57.5050904@bsdforen.de> In-Reply-To: <4B2C888A.6000006@FreeBSD.org> References: <4B2A52DB.5020602@bsdforen.de> <20091218065728.GC29158@lonesome.com> <4B2B681A.1090908@bsdforen.de> <4B2C888A.6000006@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Doug Barton wrote: > Dominic Fandrey wrote: >> But that's not different for any port. E.g. sysutils/bsdadminscripts is >> all mine, I create the distfiles and maintain the port, their is no >> guarantee that I don't do evil apart from me being quite certain that >> I don't. > > Mark already pointed out that maintainers and committers actually _do_ > have a responsibility to dig into changes, be knowledgeable about > upgrades, etc. I agree with his perspective on this. > >> Why can one assume that an ioquake release is safe? One really cannot. >> It's made by the same people who maintain the non-trustworthy SVN. >> >> What if I created a sourceforge project freebsd-ioquake and published >> my distfiles there as ioquake freebsd releases. Would it suddenly >> turn trustworthy? > > The security problems involved in trying to audit a fixed, known set > of files are miniscule compared to the problems involved in auditing a > set of files that can change on a minute by minute basis. The whole > concept of creating a FreeBSD port that checks source files out of a > third-party svn repository is anathema to the whole concept of ports > security. Even if the files were directly checked out from SVN, they'd be checked out from a tested point in time. But this is not the case we're talking about (I explained the process in sufficient detail, I think). I take an up to date snapshot, apply my patch set, make a couple of test builds and runs, update the patch set until everything works as expected. Than I wrap the whole thing (SVN snapshot and my patches) up in a tar.gz and upload it to an ftp server. There's no danger that anything changes. I'm not about to break md5 and sha256. -- A: Because it fouls the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B2CEA57.5050904>