Re: CVS commit: pkgsrc/graphics/ImageMagick

To: Bernd Ernesti <netbsd%lists.veego.de@localhost>
Subject: Re: CVS commit: pkgsrc/graphics/ImageMagick
From: Jens Rehsack <rehsack%googlemail.com@localhost>
Date: Thu, 27 Aug 2009 19:27:46 +0000

Bernd Ernesti wrote:
> On Thu, Aug 27, 2009 at 05:52:55PM +0000, Jens Rehsack wrote:
>> Module Name: pkgsrc
>> Committed By:        sno
>> Date:                Thu Aug 27 17:52:55 UTC 2009
>>
>> Modified Files:
>>      pkgsrc/graphics/ImageMagick: Makefile distinfo
>>
>> Log Message:
>> Updating package graphics/ImageMagick from 6.5.5.3 to 6.5.5.3nb1 because
>> package file on server has changed without new release.
>>
>> No upstream notice about new package is provided.
> 
> Did you check what changed?

No, not really - I took the new archive, check if it builds and simple
checks if it works, if PLIST was ok - and that's it.

> There were a few archives in the past where someone added a backdoor in it.

And put it to the official sites? o.O
If this is to assume, it's better check every update, right? There could
always be a backdoor in it.

What's happened more often - if you read the ChangeLog of ImageMagick, that
they released a new archive with similar version short time after the first
release of this version.

> IMHO it should be checked what changed and not just update the checksum.

If this is true, I wont do any updates anymore, because I don't have the
time to review all code.

Jens

Follow-Ups:
- Re: CVS commit: pkgsrc/graphics/ImageMagick
  - From: Bernd Ernesti
- Re: CVS commit: pkgsrc/graphics/ImageMagick
  - From: Thomas Klausner

References:
- CVS commit: pkgsrc/graphics/ImageMagick
  - From: Jens Rehsack
- Re: CVS commit: pkgsrc/graphics/ImageMagick
  - From: Bernd Ernesti

Prev by Date: CVS commit: pkgsrc
Next by Date: Re: CVS commit: pkgsrc/graphics/ImageMagick
Previous by Thread: Re: CVS commit: pkgsrc/graphics/ImageMagick
Next by Thread: Re: CVS commit: pkgsrc/graphics/ImageMagick
Indexes:

Home | Main Index | Thread Index | Old Index