Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 19 Dec 2009 15:59:35 +0100
From:      Dominic Fandrey <kamikaze@bsdforen.de>
To:        Doug Barton <dougb@FreeBSD.org>
Cc:        Mark Linimon <linimon@lonesome.com>, freebsd-ports@freebsd.org
Subject:   Re: ioquake3 support more platforms
Message-ID:  <4B2CEA57.5050904@bsdforen.de>
In-Reply-To: <4B2C888A.6000006@FreeBSD.org>
References:  <4B2A52DB.5020602@bsdforen.de>	<20091218065728.GC29158@lonesome.com>	<4B2B681A.1090908@bsdforen.de> <4B2C888A.6000006@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Doug Barton wrote:
> Dominic Fandrey wrote:
>> But that's not different for any port. E.g. sysutils/bsdadminscripts is
>> all mine, I create the distfiles and maintain the port, their is no
>> guarantee that I don't do evil apart from me being quite certain that
>> I don't.
> 
> Mark already pointed out that maintainers and committers actually _do_
> have a responsibility to dig into changes, be knowledgeable about
> upgrades, etc. I agree with his perspective on this.
> 
>> Why can one assume that an ioquake release is safe? One really cannot.
>> It's made by the same people who maintain the non-trustworthy SVN.
>>
>> What if I created a sourceforge project freebsd-ioquake and published
>> my distfiles there as ioquake freebsd releases. Would it suddenly
>> turn trustworthy?
> 
> The security problems involved in trying to audit a fixed, known set
> of files are miniscule compared to the problems involved in auditing a
> set of files that can change on a minute by minute basis. The whole
> concept of creating a FreeBSD port that checks source files out of a
> third-party svn repository is anathema to the whole concept of ports
> security.

Even if the files were directly checked out from SVN, they'd be
checked out from a tested point in time.

But this is not the case we're talking about (I explained the process
in sufficient detail, I think). I take an up to date snapshot, apply my
patch set, make a couple of test builds and runs, update the patch set
until everything works as expected. Than I wrap the whole thing (SVN
snapshot and my patches) up in a tar.gz and upload it to an ftp server.

There's no danger that anything changes. I'm not about to break md5 and
sha256. 

-- 
A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail? 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B2CEA57.5050904>