Date: Sun, 2 Apr 2023 12:49:30 -0400 From: Dan Langille <dan@langille.org> To: Charlie Li <vishwin@freebsd.org> Cc: User Questions <questions@freebsd.org>, "Gerard E. Seibert" <jerry@seibercom.net> Subject: Re: Security Run Output Message-ID: <89fee8ce-45db-8224-f3ba-f754caf132cd@langille.org> In-Reply-To: <d0958b1c-1b74-8b63-2acf-8ee63120ccc1@freebsd.org> References: <20230326081128.00005b98@seibercom.net> <d0958b1c-1b74-8b63-2acf-8ee63120ccc1@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Charlie Li wrote on 3/26/23 5:48 PM: > Gerard E. Seibert wrote: >> For quite some time now, I have been receiving a warning message of >> 1025 packages with mismatched checksums in the daily "Security Run >> Output" email. They are all prefixed with "py39-" >> > Because Python packages that build using the older method of directly > executing setup.py, aka distutils, have not yet been switched to not > compile bytecode during the build. The trigger to compile/remove > bytecode after all pkg(8) transactions complete had been reverted due > to an overreaction and opportunity to make the process more resilient. > These particular checksum mismatches are completely harmless. I don't wish to debate 'completely harmless'. I will state it was not without causing concern among users use the `pkg check` data. I am happy to hear that it has been reverted. I can confirm that after a few `pkg upgrade`s and `pkg install -f`s, the false positives have gone away. Alert fatigue is a valid concern. Reverting the change was the right thing to do. Here's hoping that tomorrow's Security Run Output is clean. -- Dan Langille - dan@langille.org https://langille.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?89fee8ce-45db-8224-f3ba-f754caf132cd>