ports/189666: devel/py-demjson: unfetchable due to rerolled tarball

Mon May 26 20:12:22 UTC 2014

Wiadomość napisana przez Bartłomiej Rutkowski <r at robakdesign.com> w dniu 26 maj 2014, o godz. 22:00:

> 
> Wiadomość napisana przez John Marino <freebsd.contact at marino.st> w dniu 26 maj 2014, o godz. 21:54:
> 
>> On 5/26/2014 21:36, Bartłomiej Rutkowski wrote:
>>> I've just mailed the upstream, explaining the situation and
>>> suggesting releasing such changes as minor version numbers, like
>>> 2.0.1 or something similar. We'll see what, if any response will I
>>> receive, but for now, please, patch the port with new distinfo you've
>>> proposed. If this happens again and we wont get any answer by that
>>> time, we'll consider hosting the distfiles or removing the port.
>> 
>> Hi Bartek,
>> The issue is that I can't blindly update the distinfo.  Somebody (almost
>> always the maintainer) has to "diff" the original version and the new
>> version and evaluate exactly what changed and if it's malicious.
>> 
>> I already got chewed out last week for not verifying this personally,
>> but I generally trust the maintainer if he/she said he did this.  Have
>> you actually looked inside the new tarball?
>> 
>> Thanks,
>> John
> 
> John,
> 
> Actually, this havent crossed my mind, that the distfiles could not have been simply re-released due to malicious activity and only thought this was because of bad practice, so I havent actually looked into the tarball, but instead only checked it it builds correctly on all supported system versions. I am well aware of the possible danger and consequences but it just havent lighten the red light in my head this time, sorry!
> 
> The author already replied to me, and I am in process of figuring out what's going on - I'll update you as soon as I'll know anything.
> 
> Kind regards,
> Bartek Rutkowski

Like I said, the author already replied and is just as suprised as we are, and says there was only one release he knows about, and that the correct data for the distfile would be: 'size is 115914 with an md5 of 12cdd65d6b993afe8a36abd1838c2fae'. 

Unfortunately on my system I no longer have the distfile downloaded that we had as a valid for last time:

SHA256 (demjson-2.0.tar.gz) = f5bc34800a0eb8be81a296e08e44e279c47ce72a2e4bb648be6b8bea4939ab34
SIZE (demjson-2.0.tar.gz) = 193281

and when I 'make makesum' right now, I am getting this:

SHA256 (demjson-2.0.tar.gz) = 24f638daa0c28a9d44db2282d46ea3edfd4c7d11a656e38677b741620bf1483d
SIZE (demjson-2.0.tar.gz) = 115914

what perfectly matches what the author says it should be. I've asked him if he can check his release system and distfiles providers to see if he can spot any changes and if he can by any chance match our sum/size that's incorrect to anything around there.

Any chance you or anyone else have the 'bad' distfiles available on their system for inspection?

Kind regards,
Bartek Rutkowski