On Jan 6, 2016, at 6:44 PM, Ryan Schmidt <ryandes...@macports.org> wrote:
> An SSL certificate does not guarantee the user is getting the same files the
> maintainer did. It only guarantees the user is talking to the same server.
it's not even that strong of a guarantee (especially since the recommendation
here was seemingly to just verify that the certificate is 'valid').
> One solution is to let the MacPorts distfiles mirror mirror the file, then
> switch the portfile to only look at the distfiles mirror, not the original
> server. This would need to be done every time you update the port.
Can we make it easier for maintainers to add files to the mirrors? When we used
to put files into subversion, it was easy for any maintainer to avoid this
problem by just checking in a snapshot. While it's undesirable to go back to
that (storing lots of binaries in our svn repo isn't a great idea), being able
to upload a snapshot again would be welcome.
It would fix this and to some extent also make it less 'necessary' for people
to have ports fetching from source control systems (giving everyone the benefit
of having the files mirrored and cacheable).
> The ideal would be to work with the developers to convince them not to issue
> stealth updates.
+1 for this as well.
--
Daniel J. Luke
+========================================================+
| *---------------- dl...@geeklair.net ----------------* |
| *-------------- http://www.geeklair.net -------------* |
+========================================================+
| Opinions expressed are mine and do not necessarily |
| reflect the opinions of my employer. |
+========================================================+
_______________________________________________
macports-dev mailing list
macports-dev@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-dev
