Doug Barton wrote: > Dominic Fandrey wrote: >> But that's not different for any port. E.g. sysutils/bsdadminscripts is >> all mine, I create the distfiles and maintain the port, their is no >> guarantee that I don't do evil apart from me being quite certain that >> I don't. > > Mark already pointed out that maintainers and committers actually _do_ > have a responsibility to dig into changes, be knowledgeable about > upgrades, etc. I agree with his perspective on this. > >> Why can one assume that an ioquake release is safe? One really cannot. >> It's made by the same people who maintain the non-trustworthy SVN. >> >> What if I created a sourceforge project freebsd-ioquake and published >> my distfiles there as ioquake freebsd releases. Would it suddenly >> turn trustworthy? > > The security problems involved in trying to audit a fixed, known set > of files are miniscule compared to the problems involved in auditing a > set of files that can change on a minute by minute basis. The whole > concept of creating a FreeBSD port that checks source files out of a > third-party svn repository is anathema to the whole concept of ports > security.
Even if the files were directly checked out from SVN, they'd be checked out from a tested point in time. But this is not the case we're talking about (I explained the process in sufficient detail, I think). I take an up to date snapshot, apply my patch set, make a couple of test builds and runs, update the patch set until everything works as expected. Than I wrap the whole thing (SVN snapshot and my patches) up in a tar.gz and upload it to an ftp server. There's no danger that anything changes. I'm not about to break md5 and sha256. -- A: Because it fouls the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"