Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 2 Apr 2023 12:49:30 -0400
From:      Dan Langille <dan@langille.org>
To:        Charlie Li <vishwin@freebsd.org>
Cc:        User Questions <questions@freebsd.org>, "Gerard E. Seibert" <jerry@seibercom.net>
Subject:   Re: Security Run Output
Message-ID:  <89fee8ce-45db-8224-f3ba-f754caf132cd@langille.org>
In-Reply-To: <d0958b1c-1b74-8b63-2acf-8ee63120ccc1@freebsd.org>
References:  <20230326081128.00005b98@seibercom.net> <d0958b1c-1b74-8b63-2acf-8ee63120ccc1@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Charlie Li wrote on 3/26/23 5:48 PM:
> Gerard E. Seibert wrote:
>> For quite some time now, I have been receiving a warning message of
>> 1025 packages with mismatched checksums in the daily "Security Run
>> Output" email. They are all prefixed with "py39-"
>>
> Because Python packages that build using the older method of directly 
> executing setup.py, aka distutils, have not yet been switched to not 
> compile bytecode during the build. The trigger to compile/remove 
> bytecode after all pkg(8) transactions complete had been reverted due 
> to an overreaction and opportunity to make the process more resilient. 
> These particular checksum mismatches are completely harmless.
I don't wish to debate 'completely harmless'. I will state it was not 
without causing concern among users use the `pkg check` data.

I am happy to hear that it has been reverted. I can confirm that after a 
few `pkg upgrade`s and `pkg install -f`s, the false positives have gone 
away.

Alert fatigue is a valid concern.  Reverting the change was the right 
thing to do.

Here's hoping that tomorrow's Security Run Output is clean.

-- 
Dan Langille - dan@langille.org
https://langille.org/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?89fee8ce-45db-8224-f3ba-f754caf132cd>