cvs commit: ports/devel/tmake Makefile distinfo
Kris Kennaway
kris at obsecurity.org
Tue Feb 17 14:10:12 PST 2004
On Tue, Feb 17, 2004 at 02:20:46PM +0100, Michael Nottebrock wrote:
> On Tuesday 17 February 2004 14:09, Dag-Erling Sm?rgrav wrote:
> > Michael Nottebrock <michaelnottebrock at gmx.net> writes:
> > > On Tuesday 17 February 2004 13:49, Kris Kennaway wrote:
> > > > On Mon, Feb 09, 2004 at 02:07:32PM -0800, Kris Kennaway wrote:
> > > > > On Mon, Feb 09, 2004 at 05:36:08AM -0800, Michael Nottebrock wrote:
> > > > > > Log:
> > > > > > Fix distinfo, SIZEify.
> > > > >
> > > > > You forgot to summarize what changed.
> > > >
> > > > I didn't see a followup to this.
> > >
> > > I have no idea what you expect me to write.
> >
> > When the checksum of a distfile changes, there is a considerable risk
> > that someone may have trojaned the distfile. As a port maintainer,
> > you are exptected to verify that this is not the case before updating
> > the checksum in distinfo. You are also expected to summarize the
> > reason for the changed checksum in the commit message so that The Rest
> > Of Us[tm] can rest assured that you have indeed verified that the
> > distfile was not trojaned.
>
> I didn't know that I was supposed to perform a security audit and I did not do
> so.
Perhaps it's time for you to re-read the porter's handbook and
committer's guide to refresh your memory? This is stated there quite
explicitly.
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-all/attachments/20040217/b97d1f9b/attachment.bin
More information about the cvs-all
mailing list