RFC: svn for make fetch
Peter Pentchev
roam at ringlet.net
Tue Nov 10 22:39:31 UTC 2009
On Tue, Nov 10, 2009 at 06:12:40PM +0000, RW wrote:
> On Tue, 10 Nov 2009 12:32:28 +0200
> Peter Pentchev <roam at ringlet.net> wrote:
>
>
> > The Ports Collection's distfile checksums make sure that you get
> > exactly the same files *as the port maintainer examined at some
> > previous moment in time*.
>
> More importantly it guards against maliciously modified source code.
> Someone might break into a legitimate mirror or use dns poisoning to
> distribute malware.
That's the whole point :) That's also why the maintainer is supposed to
examine the files before submitting (or committing) a port update -
to guard against source code that has been maliciously modified on
the master sites (or on fake master sites that the maintainer has been
redirected to).
G'luck,
Peter
--
Peter Pentchev roam at ringlet.net roam at space.bg roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
If wishes were fishes, the antecedent of this conditional would be true.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20091110/6e0b9c67/attachment.pgp
More information about the freebsd-ports
mailing list