From owner-svn-ports-all@FreeBSD.ORG Thu Jan 23 22:16:11 2014 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BCC48E46; Thu, 23 Jan 2014 22:16:11 +0000 (UTC) Received: from shepard.synsport.net (mail.synsport.com [208.69.230.148]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 26690125B; Thu, 23 Jan 2014 22:16:10 +0000 (UTC) Received: from [192.168.0.23] (unknown [130.255.19.191]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by shepard.synsport.net (Postfix) with ESMTP id 75E3B438BE; Thu, 23 Jan 2014 16:15:51 -0600 (CST) Message-ID: <52E19485.2090206@marino.st> Date: Thu, 23 Jan 2014 23:15:33 +0100 From: John Marino User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: Eitan Adler Subject: Re: svn commit: r337624 - head/games/daimonin-music References: <201312262215.rBQMF1ZF002032@svn.freebsd.org> <20131226223743.GV40122@ithaqua.etoilebsd.net> <52BCB084.3040504@marino.st> <20131226224813.GW40122@ithaqua.etoilebsd.net> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: "svn-ports-head@freebsd.org" , Baptiste Daroussin , marino@freebsd.org, "svn-ports-all@freebsd.org" , "ports-committers@freebsd.org" X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: marino@freebsd.org List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jan 2014 22:16:11 -0000 On 1/23/2014 23:09, Eitan Adler wrote: > On Thu, Dec 26, 2013 at 5:48 PM, Baptiste Daroussin wrote: >> On Thu, Dec 26, 2013 at 11:41:08PM +0100, John Marino wrote: >>> On 12/26/2013 23:37, Baptiste Daroussin wrote: >>>> On Thu, Dec 26, 2013 at 10:15:01PM +0000, John Marino wrote: >>>>> Author: marino >>>>> Date: Thu Dec 26 22:15:01 2013 >>>>> New Revision: 337624 >>>>> URL: http://svnweb.freebsd.org/changeset/ports/337624 >>>>> >>>> The port itself is still wrong, NO_CHECKSUM is still being used, while >>>> bsd.port.mk specifically says it is not to be used inside a port, so this should >>>> either be fixed or the port should remain broken. >>>> >>> >>> I saw later this PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=170052 >>> >>> It is taken by eadler@. The patch itself is no longer good but at least >>> there was some attempt to fix it. I did not know NO_CHECKSUM was >>> internal use only. It built fine in poudriere, which is where I tested >>> it. Is eadler going to follow up? or at least release the PR? >>> >>> John >> >> eadler is afk for a moment, just take the pr ;) >> if he complains tell him that s my fault > > late reply! > > PRs should never be considered hard locks. > > I was looking into a solution that would ensure security but also not > generate regular work for the maintainer. Mere data files *could* > cause security issues if not validated for example if maliciously > altered to cause the program to crash or run arbitrary code. If I remember correctly, the entire concept was flawed. The original maintainer recognized that the distfile could get rerolled. He was setting up a method where the port would not break if/when it was rerolled. Obviously that's absurd and opens the door wide open for attack. The solution was to generate distinfo and just let a reroll temporarily break the port. Incidentally, it was not rerolled in the last couple of years. John