Date: Thu, 23 Jan 2014 23:15:33 +0100 From: John Marino <freebsd.contact@marino.st> To: Eitan Adler <eadler@freebsd.org> Cc: "svn-ports-head@freebsd.org" <svn-ports-head@freebsd.org>, Baptiste Daroussin <bapt@freebsd.org>, marino@freebsd.org, "svn-ports-all@freebsd.org" <svn-ports-all@freebsd.org>, "ports-committers@freebsd.org" <ports-committers@freebsd.org> Subject: Re: svn commit: r337624 - head/games/daimonin-music Message-ID: <52E19485.2090206@marino.st> In-Reply-To: <CAF6rxg=msRc5qkn0h-0fZdVyCjiFXNGV2eCwHZK-KGaCWf0qAw@mail.gmail.com> References: <201312262215.rBQMF1ZF002032@svn.freebsd.org> <20131226223743.GV40122@ithaqua.etoilebsd.net> <52BCB084.3040504@marino.st> <20131226224813.GW40122@ithaqua.etoilebsd.net> <CAF6rxg=msRc5qkn0h-0fZdVyCjiFXNGV2eCwHZK-KGaCWf0qAw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/23/2014 23:09, Eitan Adler wrote: > On Thu, Dec 26, 2013 at 5:48 PM, Baptiste Daroussin <bapt@freebsd.org> wrote: >> On Thu, Dec 26, 2013 at 11:41:08PM +0100, John Marino wrote: >>> On 12/26/2013 23:37, Baptiste Daroussin wrote: >>>> On Thu, Dec 26, 2013 at 10:15:01PM +0000, John Marino wrote: >>>>> Author: marino >>>>> Date: Thu Dec 26 22:15:01 2013 >>>>> New Revision: 337624 >>>>> URL: http://svnweb.freebsd.org/changeset/ports/337624 >>>>> >>>> The port itself is still wrong, NO_CHECKSUM is still being used, while >>>> bsd.port.mk specifically says it is not to be used inside a port, so this should >>>> either be fixed or the port should remain broken. >>>> >>> >>> I saw later this PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=170052 >>> >>> It is taken by eadler@. The patch itself is no longer good but at least >>> there was some attempt to fix it. I did not know NO_CHECKSUM was >>> internal use only. It built fine in poudriere, which is where I tested >>> it. Is eadler going to follow up? or at least release the PR? >>> >>> John >> >> eadler is afk for a moment, just take the pr ;) >> if he complains tell him that s my fault > > late reply! > > PRs should never be considered hard locks. > > I was looking into a solution that would ensure security but also not > generate regular work for the maintainer. Mere data files *could* > cause security issues if not validated for example if maliciously > altered to cause the program to crash or run arbitrary code. If I remember correctly, the entire concept was flawed. The original maintainer recognized that the distfile could get rerolled. He was setting up a method where the port would not break if/when it was rerolled. Obviously that's absurd and opens the door wide open for attack. The solution was to generate distinfo and just let a reroll temporarily break the port. Incidentally, it was not rerolled in the last couple of years. John
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52E19485.2090206>