From owner-freebsd-ports Tue May 21 22:30:50 2002 Delivered-To: freebsd-ports@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 1299F37B408; Tue, 21 May 2002 22:30:42 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id g4M5UeC29201; Tue, 21 May 2002 23:30:40 -0600 (MDT) (envelope-from imp@village.org) Received: from localhost (warner@rover2.village.org [10.0.0.1]) by harmony.village.org (8.11.6/8.11.6) with ESMTP id g4M5UcN34541; Tue, 21 May 2002 23:30:38 -0600 (MDT) (envelope-from imp@village.org) Date: Tue, 21 May 2002 23:30:26 -0600 (MDT) Message-Id: <20020521.233026.111454472.imp@village.org> To: ache@nagual.pp.ru Cc: bts@babbleon.org, kris@obsecurity.org, ports@FreeBSD.ORG, portmgr@FreeBSD.ORG, core@FreeBSD.ORG Subject: Re: My position on commiters guide 10.4.4 From: "M. Warner Losh" In-Reply-To: <20020522050301.GA93570@nagual.pp.ru> References: <20020522041150.GA92851@nagual.pp.ru> <20020522044853.92549BB29@i8k.babbleon.org> <20020522050301.GA93570@nagual.pp.ru> X-Mailer: Mew version 2.1 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message: <20020522050301.GA93570@nagual.pp.ru> "Andrey A. Chernov" writes: : On Wed, May 22, 2002 at 00:48:52 -0400, Brian T.Schellenberger wrote: : : > Really, ports that change without version number changes are a real pain to : > deal with, and a new port should be rolled up for them only if there is a : > very good reason (which the porter understands), which is all this rule seems : > to be saying. : : I want to especially note that when version number IS CHANGED, we exact in : the same situation, i.e. from security perspective all things from 10.4.4 : must be done, like complete diff, description of all changes, etc. I found : not logical to enforce that requirement when version number is not changed : and forget it when it is changed. Do the version number change bring any : safety? Of course not, hacker can just upload new version with changed : number. Actually, the historical risk of trojan distributions is much higher for the same version. The reason that a hacker would prefer that to a new version is that a new version is more likely to noticed than silently replacing an old version. There have been several incidents of this type. It is these sorts of incidents that caused the rules to be put into place. Ache's suggestion of not updating the port at all is a failsafe (from a security point of view) way of dealing with the problem that also addresses the security concerns. If there's a real reason to update the port, then running a diff between the two versions shouldn't be a huge deal. You'll need to fetch the new version of the tar.gz file anyway (and should have the old one from before). An alternative way of dealing with this might be to contact the author of the port that did the update to confirm that there was a new version created by him and that it was legit. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message