[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: pkgsrc/archivers/szip
On Sun, Nov 20, 2011 at 05:57:48PM +0200, Alan Barrett wrote:
> On Sun, 20 Nov 2011, John Marino wrote:
> >Yes, I guess it's possible that somebody hacked into the
> >hdfgroup.org server, and replaced the source tarball with one
> >with a trojan in it after hdfgroup repacked the same tarball 3
> >times before. But no, I did not do a line-by-line diff on all
> >the sources because primarily I didn't have the original source.
> >It was no longer available (the entire reason it caught my
> When you encounter a package whose distfile name stays the same
> while the distfile contents change, you should immediately be very
> suspicious. If you can't compare the old and new distfiles because
> you don't have the old distfile, then you could ask whether anybody
> else has the old distfile.
I checked it yesterday and it looks innocuous.
> If a particular upstream maintainer has a history of making such
> changes, then I think we should try extra hard to keep a stable
> version of the distfile on a netbsd server.
I think in this case it's not allowed.
David A. Holland
Main Index |
Thread Index |