svn commit: r324901 - head/biology/tinker
John Marino
freebsd.contact at marino.st
Mon Aug 19 06:30:21 UTC 2013
On 8/19/2013 00:34, Bryan Drewery wrote:
> On 8/18/2013 1:48 PM, John Marino wrote:
>> On 8/18/2013 14:55, Bryan Drewery wrote:
>>> On 8/18/2013 6:38 AM, John Marino wrote:
>>>> Author: marino
>>>> Date: Sun Aug 18 11:38:34 2013
>>>> New Revision: 324901
>>>> URL: http://svnweb.freebsd.org/changeset/ports/324901
>>>>
>>>> Log:
>>>> biology/tinker: Regenerate distinfo to unbreak fetch
>>>>
>>>> Apparently the distfile was rerolled. The sizes of the file are only a few
>>>> bytes apart. Since the master site never changed, it's reasonable just to
>>>> regenerate the distinfo and bump the PORTREVISION.
>>>>
>>>
>>> *exactly* what changed is needed to be known before we update the
>>> distinfo. Did you do a comparison between the two tarballs?
>>
>> As I mentioned in the commit message, I couldn't obtain the first
>> version. I didn't have it in any cache. Perhaps only the submitter of
>> the PR 180518 could have done this.
>
> I read the message the first time and it's not a valid justification.
> The size could be the same (and different checksum) and have a backdoor.
It looks like I omitted explicitly stating that the original tarball
could not be located. I thought I wrote that but I guess it was only
implied.
>> However, after committing, I realized I could have compared 6.2.06 with
>> the previous version 6.2.05 which I did have. In any case, the tarball
>> is from the same master site and this port has been broken for more 30
>> days. Had the tarball been compromised, it very likely would have been
>> caught in such a long time. So do we trust the site or not?
>
> We trust nothing. Upstreams can be compromised for *years* and not be known.
Had the PR to update to 6.2.06 come just a few days later, the author
would have used the same tarball. So it would have been the exact same
case as now. The plist matches so any backdoor would have been likely
undetected as well.
However, I'll try to email somebody over there to confirm they rerolled
it, and try to get them to say why.
John
More information about the svn-ports-head
mailing list