svn commit: r337624 - head/games/daimonin-music

[John Marino]

On 1/23/2014 23:09, Eitan Adler wrote:
> On Thu, Dec 26, 2013 at 5:48 PM, Baptiste Daroussin <bapt at freebsd.org> wrote:
>> On Thu, Dec 26, 2013 at 11:41:08PM +0100, John Marino wrote:
>>> On 12/26/2013 23:37, Baptiste Daroussin wrote:
>>>> On Thu, Dec 26, 2013 at 10:15:01PM +0000, John Marino wrote:
>>>>> Author: marino
>>>>> Date: Thu Dec 26 22:15:01 2013
>>>>> New Revision: 337624
>>>>> URL: http://svnweb.freebsd.org/changeset/ports/337624
>>>>>
>>>> The port itself is still wrong, NO_CHECKSUM is still being used, while
>>>> bsd.port.mk specifically says it is not to be used inside a port, so this should
>>>> either be fixed or the port should remain broken.
>>>>
>>>
>>> I saw later this PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=170052
>>>
>>> It is taken by eadler at .  The patch itself is no longer good but at least
>>> there was some attempt to fix it.  I did not know NO_CHECKSUM was
>>> internal use only.  It built fine in poudriere, which is where I tested
>>> it.  Is eadler going to follow up?  or at least release the PR?
>>>
>>> John
>>
>> eadler is afk for a moment, just take the pr ;)
>> if he complains tell him that s my fault
> 
> late reply!
> 
> PRs should never be considered hard locks.
> 
> I was looking into a solution that would ensure security but also not
> generate regular work for the maintainer.  Mere data files *could*
> cause security issues if not validated for example if maliciously
> altered to cause the program to crash or run arbitrary code.

If I remember correctly, the entire concept was flawed.  The original
maintainer recognized that the distfile could get rerolled.  He was
setting up a method where the port would not break if/when it was rerolled.

Obviously that's absurd and opens the door wide open for attack.  The
solution was to generate distinfo and just let a reroll temporarily
break the port.  Incidentally, it was not rerolled in the last couple of
years.

John