Date: Sat, 19 Dec 2009 00:02:18 -0800 From: Doug Barton <dougb@FreeBSD.org> To: Dominic Fandrey <kamikaze@bsdforen.de> Cc: Mark Linimon <linimon@lonesome.com>, freebsd-ports@freebsd.org Subject: Re: ioquake3 support more platforms Message-ID: <4B2C888A.6000006@FreeBSD.org> In-Reply-To: <4B2B681A.1090908@bsdforen.de> References: <4B2A52DB.5020602@bsdforen.de> <20091218065728.GC29158@lonesome.com> <4B2B681A.1090908@bsdforen.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Dominic Fandrey wrote: > But that's not different for any port. E.g. sysutils/bsdadminscripts is > all mine, I create the distfiles and maintain the port, their is no > guarantee that I don't do evil apart from me being quite certain that > I don't. Mark already pointed out that maintainers and committers actually _do_ have a responsibility to dig into changes, be knowledgeable about upgrades, etc. I agree with his perspective on this. > Why can one assume that an ioquake release is safe? One really cannot. > It's made by the same people who maintain the non-trustworthy SVN. > > What if I created a sourceforge project freebsd-ioquake and published > my distfiles there as ioquake freebsd releases. Would it suddenly > turn trustworthy? The security problems involved in trying to audit a fixed, known set of files are miniscule compared to the problems involved in auditing a set of files that can change on a minute by minute basis. The whole concept of creating a FreeBSD port that checks source files out of a third-party svn repository is anathema to the whole concept of ports security. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B2C888A.6000006>