From owner-freebsd-ports Thu Dec 14 10:10:36 2000 From owner-freebsd-ports@FreeBSD.ORG Thu Dec 14 10:10:33 2000 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 54FCF37B698; Thu, 14 Dec 2000 10:10:32 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id KAA26903; Thu, 14 Dec 2000 10:11:47 -0800 Date: Thu, 14 Dec 2000 10:11:46 -0800 From: Kris Kennaway To: Will Andrews , Warner Losh , Peter Pentchev , ports@FreeBSD.org, kris@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: ports/databases/gigabase distinfo Message-ID: <20001214101146.A26851@citusc.usc.edu> References: <20001214122157.G1873@puck.firepipe.net> <200012141225.eBECPn385434@freefall.freebsd.org> <20001214122157.G1873@puck.firepipe.net> <200012141726.KAA48452@harmony.village.org> <20001214124734.I1873@puck.firepipe.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001214124734.I1873@puck.firepipe.net>; from will@physics.purdue.edu on Thu, Dec 14, 2000 at 12:47:34PM -0500 Sender: kris@citusc.usc.edu Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --/04w6evG8XlLl3ft Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 14, 2000 at 12:47:34PM -0500, Will Andrews wrote: > On Thu, Dec 14, 2000 at 10:26:20AM -0700, Warner Losh wrote: > > Actually, I see a good reason for noting it. In the past there have > > been sites that have been compromized and the new checksum alerted > > people to the trojan. That's why we need to make sure that when > > checksums change, they are on purpose. Noting that fact in the commit= =20 > > log (but maybe not to the level of detail) is prudent and saves the SO= =20 > > from having to wonder if we've just introduced a trojan into our > > system. >=20 > OK, but the author really should have documented it himself.. I did say > that if the author hasn't done this part, then it's probably not worth > upgrading. Although I see the point in doing this anyway, I hope people > save themselves the time by using the script in ports/Tools. We have to chase the checksum so the port still works. But we (the FreeBSD security community) need assurances that the change was benign and not a trojan introduced by a compromised server, and the ports community needs assurances that the software functionality has or has not changed significantly. Sure, it's bad release engineering for an author to do the latter, but it happens and we have to deal with it. Kris --/04w6evG8XlLl3ft Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6OQ1VWry0BWjoQKURAiKLAJ4tPUEJ8ZUlwTJZatZWJoLUOQl1EwCgheBR umCB4qPurY/MmMG3ILakxYw= =9sax -----END PGP SIGNATURE----- --/04w6evG8XlLl3ft-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message