Dominic Fandrey wrote: > But that's not different for any port. E.g. sysutils/bsdadminscripts is > all mine, I create the distfiles and maintain the port, their is no > guarantee that I don't do evil apart from me being quite certain that > I don't.
Mark already pointed out that maintainers and committers actually _do_ have a responsibility to dig into changes, be knowledgeable about upgrades, etc. I agree with his perspective on this. > Why can one assume that an ioquake release is safe? One really cannot. > It's made by the same people who maintain the non-trustworthy SVN. > > What if I created a sourceforge project freebsd-ioquake and published > my distfiles there as ioquake freebsd releases. Would it suddenly > turn trustworthy? The security problems involved in trying to audit a fixed, known set of files are miniscule compared to the problems involved in auditing a set of files that can change on a minute by minute basis. The whole concept of creating a FreeBSD port that checks source files out of a third-party svn repository is anathema to the whole concept of ports security. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"