Perl master site changed to tobez.org?

[Anton Berezin]

Michael,

Sorry I did not reply earlier, I was on vacation.

On Wed, Jun 29, 2005 at 05:37:16PM -0400, Michael Scheidell wrote:
> Tobez: no disrespect intended, obviously you saw a problem with the
> master sites for perl 5.8.7 and did what you could to help, and with
> your position as a maintainer, I know that the trust we have in you and
> your patches is well earned, so don't take this question as anything but
> my well-earned paranoia rearing its ugly head:
> 
> Yes, building perl5.8.7 did seem like it had a lot of problems with the
> master_sites which is why I went to the freebsd ports cvs tree and
> looked to see if they fixed it, however, I believe it would be prudent
> for me to ask:
> 
> How safe is this your site?
> And, yes, in some of my build scripts I pull the distfiles from our
> local system due to some issues with some of the sites, however, how
> safe is tobez.org from hacking?  
> (ok, so, how safe is OUR site from hacking) or anyone's for that matter,
> so please don't take this as a challenge.  I have enough to do not to
> have to go rebuilding our servers.

I think you are missing several things here:

  1. The ":local" suffix there represents an example of the use of the
  existing support for master site groups.  In particular, only BSDPAN
  and the defined-or patch can in principle be stored there, not the
  perl tarball itself.

  2. Unless you use master sites randomization, tobez.org will be the
  last place to go for the files in question.

  3. Most importantly, if you do not trust existing md5 and size
  ditsinfo checks, you should not probably use the ports collection at
  all.

I hope this addresses your concerns,

Cheers,
\Anton.
-- 
The moronity of the universe is a monotonically increasing function. --
Jarkko Hietaniemi