Date: Tue, 17 Feb 2004 14:43:27 +0100 From: Tilman Linneweh <arved@FreeBSD.org> To: Michael Nottebrock <michaelnottebrock@gmx.net> Cc: Kris Kennaway <kris@obsecurity.org> Subject: Re: cvs commit: ports/devel/tmake Makefile distinfo Message-ID: <20040217134327.GA85445@huckfinn.arved.de> In-Reply-To: <200402171420.47274.michaelnottebrock@gmx.net> References: <200402091336.i19Da8nQ019809@repoman.freebsd.org> <200402171404.30701.michaelnottebrock@gmx.net> <xzpr7wtn98t.fsf@dwp.des.no> <200402171420.47274.michaelnottebrock@gmx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
* Michael Nottebrock [Di, 17 Feb 2004 at 14:20 GMT]: >> > > > > Fix distinfo, SIZEify. >> > > > >> > > > You forgot to summarize what changed. >> > > >> > > I didn't see a followup to this. >> > >> > I have no idea what you expect me to write. >> >> When the checksum of a distfile changes, there is a considerable risk >> that someone may have trojaned the distfile. As a port maintainer, >> you are exptected to verify that this is not the case before updating >> the checksum in distinfo. You are also expected to summarize the >> reason for the changed checksum in the commit message so that The Rest >> Of Us[tm] can rest assured that you have indeed verified that the >> distfile was not trojaned. > > I didn't know that I was supposed to perform a security audit and I did not= > do=20 > so. So if anyone happens to have the old distfile still around, please send= >=20 > it my way, cause I don't. I suggest next time instead of marking a port as= >=20 > BROKEN=3D Checksum mismatch, mark it as BROKEN=3D Needs security audit so I= > won't=20 > be tempted to fix it. > I intend to remove this port in a few days. It is obsolete and superseded by qmake. I have just updated the last port that did depend on it. regards tilman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040217134327.GA85445>