On Tue, Oct 04, 2011 at 02:44:42PM -0400, David Cantrell wrote:
> On 10/04/2011 02:31 PM, Marc Espie wrote:
> >On Tue, Oct 04, 2011 at 02:11:13PM -0400, David Cantrell wrote:
> >>On 10/04/2011 01:39 PM, Antoine Jacoutot wrote:
> >>>On Tue, 4 Oct 2011, David Cantrell wrote:
> >>>
> >>>>I'm working on a local port where the source archive is not available via
> >>>>anything other than svn. I'm trying to use pre-fetch to see if a
> >>>>checkout of
> >>>>the release I want already exists in /usr/ports/distfiles and if not,
> >>>>check it
> >>>>out. I'm trying something like this:
> >>>
> >>>Why don't you create a tarball of the checkout and host it?
> >>
> >>That's not really the solution I'm after. The project itself does
> >>not have a release engineer and I'm not looking to become one for
> >>it. I am just trying to put together a local port that some other
> >>coworkers can use to build packages of a specific checkout from the
> >>svn repo.
> >
> >Don't use pre-fetch, it's heavily deprecated. In fact, don't override
> >any of pre-fetch, do-fetch, post-fetch.
>
> Noted. Please remove information about overriding *-fetch from the
> bsd.port.mk man page.
Read more closely:
every configuration. Use of {pre,do,post}-fetch hooks is
strongly discouraged, and will probably be removed in the
near future, as this makes mirroring of distfiles very
complicated. See CHECKSUMFILES, CDROM_SITE, DISTDIR,
> OK. But this is probably something worth thinking about for future
> development. I've noticed many upstream projects eliminating
> tarballs in favor of telling you a git tag to use 'git archive
> --format=tar' on. While it may not be something anyone cares about
> for the main ports tree, having the functionality there for people
> who keep things in /usr/ports/mystuff would probably be useful.
Nope. Not good. checksums. How do you prevent people tampering from
upstream and introduce trojan horses ?
It's not like this never happened. We caught at least 2 such issues
thanks to the checksums in distinfo.
