From owner-freebsd-ports Tue May 21 22:43: 0 2002 Delivered-To: freebsd-ports@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 8D5A437B401; Tue, 21 May 2002 22:42:52 -0700 (PDT) Received: from pobrecita.freebsd.ru (ache@localhost [127.0.0.1]) by nagual.pp.ru (8.12.3/8.12.3) with ESMTP id g4M5geoQ094048; Wed, 22 May 2002 09:42:47 +0400 (MSD) (envelope-from ache@pobrecita.freebsd.ru) Received: (from ache@localhost) by pobrecita.freebsd.ru (8.12.3/8.12.3/Submit) id g4M5gb6I094047; Wed, 22 May 2002 09:42:38 +0400 (MSD) Date: Wed, 22 May 2002 09:42:36 +0400 From: "Andrey A. Chernov" To: "M. Warner Losh" Cc: bts@babbleon.org, kris@obsecurity.org, ports@FreeBSD.ORG, portmgr@FreeBSD.ORG, core@FreeBSD.ORG Subject: Re: My position on commiters guide 10.4.4 Message-ID: <20020522054234.GB93907@nagual.pp.ru> References: <20020522041150.GA92851@nagual.pp.ru> <20020522044853.92549BB29@i8k.babbleon.org> <20020522050301.GA93570@nagual.pp.ru> <20020521.233026.111454472.imp@village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020521.233026.111454472.imp@village.org> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, May 21, 2002 at 23:30:26 -0600, M. Warner Losh wrote: > > Actually, the historical risk of trojan distributions is much higher > for the same version. The reason that a hacker would prefer that to a > new version is that a new version is more likely to noticed than > silently replacing an old version. There have been several incidents > of this type. It is these sorts of incidents that caused the rules to > be put into place. I know about such facts, but do you have any real statistics comparing this two variants? When version with _new_ number will appearse, much more people will want to download/install it then with old version many of them already have. > addresses the security concerns. If there's a real reason to update > the port, then running a diff between the two versions shouldn't be a > huge deal. You'll need to fetch the new version of the tar.gz file It very depends on port size / amount of files. Consider huge port like XFree86. Or do we apply 10.4.4 to small ports only? > An alternative way of dealing with this might be to contact the author > of the port that did the update to confirm that there was a new > version created by him and that it was legit. Do you try it f.e. few times? It is not so easy as it sounds. Developers tends to ignore even some functionlaity patches, not say purist non-functional requests to update number. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message