cvs commit: ports/sysutils/smartmontools distinfo
Doug Barton
dougb at FreeBSD.org
Mon Oct 24 01:50:42 UTC 2011
On 10/23/2011 18:44, Eitan Adler wrote:
> 2011/10/23 Alexey Dokuchaev <danfe at freebsd.org>:
>> That's nice to know, but our bylaws require manual verification of the
>> contents of two distfiles when they change with no apparent reason (that is,
>> version stays the same) and presenting results in the commit log.
>
> I checked the GPG signature of the file I downloaded. I was made aware
> that I should have included some indication of such in the commit log
> and will do so in the future.
>
>> It (not doing so) had bitten us before, ARAIR.
>
> As a security researcher who has found issues before in various open
> source projects, I fully understand the concern.
All that is great, but IMO still inadequate.
If the original 5.42 distfile is not available (and hopefully the
maintainer has it?), then comparing the new 5.42 to 5.41 would be a good
next step.
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
More information about the cvs-ports
mailing list