Date: Tue, 17 Feb 2004 14:10:07 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Michael Nottebrock <michaelnottebrock@gmx.net> Cc: Dag-Erling Sm?rgrav <des@des.no> Subject: Re: cvs commit: ports/devel/tmake Makefile distinfo Message-ID: <20040217221007.GA22637@xor.obsecurity.org> In-Reply-To: <200402171420.47274.michaelnottebrock@gmx.net> References: <200402091336.i19Da8nQ019809@repoman.freebsd.org> <200402171404.30701.michaelnottebrock@gmx.net> <xzpr7wtn98t.fsf@dwp.des.no> <200402171420.47274.michaelnottebrock@gmx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 17, 2004 at 02:20:46PM +0100, Michael Nottebrock wrote: > On Tuesday 17 February 2004 14:09, Dag-Erling Sm?rgrav wrote: > > Michael Nottebrock <michaelnottebrock@gmx.net> writes: > > > On Tuesday 17 February 2004 13:49, Kris Kennaway wrote: > > > > On Mon, Feb 09, 2004 at 02:07:32PM -0800, Kris Kennaway wrote: > > > > > On Mon, Feb 09, 2004 at 05:36:08AM -0800, Michael Nottebrock wrot= e: > > > > > > Log: > > > > > > Fix distinfo, SIZEify. > > > > > > > > > > You forgot to summarize what changed. > > > > > > > > I didn't see a followup to this. > > > > > > I have no idea what you expect me to write. > > > > When the checksum of a distfile changes, there is a considerable risk > > that someone may have trojaned the distfile. As a port maintainer, > > you are exptected to verify that this is not the case before updating > > the checksum in distinfo. You are also expected to summarize the > > reason for the changed checksum in the commit message so that The Rest > > Of Us[tm] can rest assured that you have indeed verified that the > > distfile was not trojaned. >=20 > I didn't know that I was supposed to perform a security audit and I did n= ot do=20 > so. Perhaps it's time for you to re-read the porter's handbook and committer's guide to refresh your memory? This is stated there quite explicitly. Kris --3V7upXqbjpZ4EhLz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAMpE/Wry0BWjoQKURAtE+AJ49A84knoUhveocQkEruV+AYtrR8wCeP1g5 1785w9ZdP6LK+d94lvcId9k= =qOKw -----END PGP SIGNATURE----- --3V7upXqbjpZ4EhLz--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040217221007.GA22637>