pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CVS commit: pkgsrc/archivers/szip



On Sun, Nov 20, 2011 at 05:57:48PM +0200, Alan Barrett wrote:
 > On Sun, 20 Nov 2011, John Marino wrote:
 > >Yes, I guess it's possible that somebody hacked into the
 > >hdfgroup.org server, and replaced the source tarball with one
 > >with a trojan in it after hdfgroup repacked the same tarball 3
 > >times before.  But no, I did not do a line-by-line diff on all
 > >the sources because primarily I didn't have the original source.
 > >It was no longer available (the entire reason it caught my
 > >attention.)
 > 
 > When you encounter a package whose distfile name stays the same
 > while the distfile contents change, you should immediately be very
 > suspicious.  If you can't compare the old and new distfiles because
 > you don't have the old distfile, then you could ask whether anybody
 > else has the old distfile.

This.

I checked it yesterday and it looks innocuous.

 > If a particular upstream maintainer has a history of making such
 > changes, then I think we should try extra hard to keep a stable
 > version of the distfile on a netbsd server.

I think in this case it's not allowed.

-- 
David A. Holland
dholland%netbsd.org@localhost



Home | Main Index | Thread Index | Old Index