Date: Tue, 21 May 2002 23:30:26 -0600 (MDT) From: "M. Warner Losh" <imp@village.org> To: ache@nagual.pp.ru Cc: bts@babbleon.org, kris@obsecurity.org, ports@FreeBSD.ORG, portmgr@FreeBSD.ORG, core@FreeBSD.ORG Subject: Re: My position on commiters guide 10.4.4 Message-ID: <20020521.233026.111454472.imp@village.org> In-Reply-To: <20020522050301.GA93570@nagual.pp.ru> References: <20020522041150.GA92851@nagual.pp.ru> <20020522044853.92549BB29@i8k.babbleon.org> <20020522050301.GA93570@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
In message: <20020522050301.GA93570@nagual.pp.ru>
"Andrey A. Chernov" <ache@nagual.pp.ru> writes:
: On Wed, May 22, 2002 at 00:48:52 -0400, Brian T.Schellenberger wrote:
:
: > Really, ports that change without version number changes are a real pain to
: > deal with, and a new port should be rolled up for them only if there is a
: > very good reason (which the porter understands), which is all this rule seems
: > to be saying.
:
: I want to especially note that when version number IS CHANGED, we exact in
: the same situation, i.e. from security perspective all things from 10.4.4
: must be done, like complete diff, description of all changes, etc. I found
: not logical to enforce that requirement when version number is not changed
: and forget it when it is changed. Do the version number change bring any
: safety? Of course not, hacker can just upload new version with changed
: number.
Actually, the historical risk of trojan distributions is much higher
for the same version. The reason that a hacker would prefer that to a
new version is that a new version is more likely to noticed than
silently replacing an old version. There have been several incidents
of this type. It is these sorts of incidents that caused the rules to
be put into place.
Ache's suggestion of not updating the port at all is a failsafe (from
a security point of view) way of dealing with the problem that also
addresses the security concerns. If there's a real reason to update
the port, then running a diff between the two versions shouldn't be a
huge deal. You'll need to fetch the new version of the tar.gz file
anyway (and should have the old one from before).
An alternative way of dealing with this might be to contact the author
of the port that did the update to confirm that there was a new
version created by him and that it was legit.
Warner
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020521.233026.111454472.imp>