tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: distfile checksum error in graphics/MesaLib



On Thu, 21 Aug 2008 14:00:17 -0500 (CDT)
"Jeremy C. Reed" <reed%reedmedia.net@localhost> wrote:

> On Thu, 21 Aug 2008, Tobias Nygren wrote:
> 
> > I've updated the checksums to match md5sums I found at:
> > http://mesa3d.sourceforge.net/relnotes-7.0.4.html
> 
> What if the webpage and tarballs were both compromised?
> 
> Have we compared the original tarball with new?

No, the "original" tarballs were prerelease code that was tar'ed into
tarballs that were named like, and looked like official ones and
dropped by the package's maintainer into MASTER_SITE_LOCAL,
http://ftp.netbsd.org/pub/pkgsrc/distfiles/LOCAL_PORTS/Mesa-7.0.4/ were
you can still find them. I strongly object to this practice of rolling
our own distfiles for use in pkgsrc.
This will also now start to break for people who have the old distfiles,
because DIST_SUBDIR hasn't changed.
Can we please just wait the extra week for upstream to prepare a release
instead of blindly jumping on the latest and greatest code from git?

> Please see Pkgsrc Guide for instructions on this.

I know.

-Tobias


Home | Main Index | Thread Index | Old Index