RFC: svn for make fetch

Peter Pentchev roam at ringlet.net
Tue Nov 10 22:39:31 UTC 2009

On Tue, Nov 10, 2009 at 06:12:40PM +0000, RW wrote:
> On Tue, 10 Nov 2009 12:32:28 +0200
> Peter Pentchev <roam at ringlet.net> wrote:
> > The Ports Collection's distfile checksums make sure that you get
> > exactly the same files *as the port maintainer examined at some
> > previous moment in time*.
> More importantly it guards against maliciously modified source code.
> Someone might break into a legitimate mirror or use dns poisoning to
> distribute malware.

That's the whole point :)  That's also why the maintainer is supposed to
examine the files before submitting (or committing) a port update -
to guard against source code that has been maliciously modified on
the master sites (or on fake master sites that the maintainer has been
redirected to).


Peter Pentchev	roam at ringlet.net    roam at space.bg    roam at FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
If wishes were fishes, the antecedent of this conditional would be true.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20091110/6e0b9c67/attachment.pgp

More information about the freebsd-ports mailing list