Date: Mon, 26 May 2014 22:12:12 +0200 From: =?utf-8?Q?Bart=C5=82omiej_Rutkowski?= <r@robakdesign.com> To: marino@freebsd.org Cc: ports@robakdesign.com, freebsd-python@FreeBSD.org Subject: Re: ports/189666: devel/py-demjson: unfetchable due to rerolled tarball Message-ID: <C4008D82-1C3A-46E5-943E-1F1EB87CBB86@robakdesign.com> In-Reply-To: <FD39A570-A261-45FA-B98D-A31E9316C9DD@robakdesign.com> References: <201405260846.s4Q8kUdC079970@freefall.freebsd.org> <C6C210C7-53CE-4185-8624-CE3737598A4F@robakdesign.com> <53839C13.4040405@marino.st> <FD39A570-A261-45FA-B98D-A31E9316C9DD@robakdesign.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Wiadomo=C5=9B=C4=87 napisana przez Bart=C5=82omiej Rutkowski = <r@robakdesign.com> w dniu 26 maj 2014, o godz. 22:00: >=20 > Wiadomo=C5=9B=C4=87 napisana przez John Marino = <freebsd.contact@marino.st> w dniu 26 maj 2014, o godz. 21:54: >=20 >> On 5/26/2014 21:36, Bart=C5=82omiej Rutkowski wrote: >>> I've just mailed the upstream, explaining the situation and >>> suggesting releasing such changes as minor version numbers, like >>> 2.0.1 or something similar. We'll see what, if any response will I >>> receive, but for now, please, patch the port with new distinfo = you've >>> proposed. If this happens again and we wont get any answer by that >>> time, we'll consider hosting the distfiles or removing the port. >>=20 >> Hi Bartek, >> The issue is that I can't blindly update the distinfo. Somebody = (almost >> always the maintainer) has to "diff" the original version and the new >> version and evaluate exactly what changed and if it's malicious. >>=20 >> I already got chewed out last week for not verifying this personally, >> but I generally trust the maintainer if he/she said he did this. = Have >> you actually looked inside the new tarball? >>=20 >> Thanks, >> John >=20 > John, >=20 > Actually, this havent crossed my mind, that the distfiles could not = have been simply re-released due to malicious activity and only thought = this was because of bad practice, so I havent actually looked into the = tarball, but instead only checked it it builds correctly on all = supported system versions. I am well aware of the possible danger and = consequences but it just havent lighten the red light in my head this = time, sorry! >=20 > The author already replied to me, and I am in process of figuring out = what's going on - I'll update you as soon as I'll know anything. >=20 > Kind regards, > Bartek Rutkowski Like I said, the author already replied and is just as suprised as we = are, and says there was only one release he knows about, and that the = correct data for the distfile would be: 'size is 115914 with an md5 of = 12cdd65d6b993afe8a36abd1838c2fae'.=20 Unfortunately on my system I no longer have the distfile downloaded that = we had as a valid for last time: SHA256 (demjson-2.0.tar.gz) =3D = f5bc34800a0eb8be81a296e08e44e279c47ce72a2e4bb648be6b8bea4939ab34 SIZE (demjson-2.0.tar.gz) =3D 193281 and when I 'make makesum' right now, I am getting this: SHA256 (demjson-2.0.tar.gz) =3D = 24f638daa0c28a9d44db2282d46ea3edfd4c7d11a656e38677b741620bf1483d SIZE (demjson-2.0.tar.gz) =3D 115914 what perfectly matches what the author says it should be. I've asked him = if he can check his release system and distfiles providers to see if he = can spot any changes and if he can by any chance match our sum/size = that's incorrect to anything around there. Any chance you or anyone else have the 'bad' distfiles available on = their system for inspection? Kind regards, Bartek Rutkowski=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C4008D82-1C3A-46E5-943E-1F1EB87CBB86>