Re: Are automated tools being used to generate distinfo for say latest databases/sqlite3

To: Adam <adam%netbsd.org@localhost>
Subject: Re: Are automated tools being used to generate distinfo for say latest databases/sqlite3
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Wed, 13 Sep 2023 07:50:16 -0400

Adam <adam%netbsd.org@localhost> writes:

> Upstream has changed the distfile. I've commited the change to PkgSrc.

(I know Adam knows all this but since the pkgsrc approach was questioned
saying it for David and the archives.)

This changing of distfiles is bad behavior on the part of upstream.  It
should just never happen.  If they want to fix something, it needs a new
version number.  However lots of upstreams do this.  Apparently they
don't understand packaging and/or don't understand that substantially
all uses of widely-used software are via packaging, and that packaging
systems are their primary release target.

When a distfile is changed, it is a sign of a malware injection attack
-- but often it is simply a sign of bad judgement.  Generally, package
maintainers will get the new distfile and compare them, exactly as Adam
has done, to sort the situation into concerning vs not concerning.
Usually it is 'not concerning', as people thinking it is ok to change
distfiles is more common than attacks.

Overall, pkgsrc's handling of this is a feature more than a bug.

References:
- Are automated tools being used to generate distinfo for say latest databases/sqlite3
  - From: David Shao
- Re: Are automated tools being used to generate distinfo for say latest databases/sqlite3
  - From: Adam

Prev by Date: Re: Are automated tools being used to generate distinfo for say latest databases/sqlite3
Next by Date: focuswriter build issue on 9 only
Previous by Thread: Re: Are automated tools being used to generate distinfo for say latest databases/sqlite3
Next by Thread: focuswriter build issue on 9 only
Indexes:

Home | Main Index | Thread Index | Old Index