tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Updating distinfo without checking the content


what do others think about this problem?

Without checking the binary this can be a security issue.


----- Forwarded message from Bernd Ernesti <> 

Date: Sat, 15 Mar 2014 08:37:29 +0100
From: Bernd Ernesti <>
Subject: Re: CVS commit: pkgsrc/graphics/dcraw
To: Ryo ONODERA <>
References: <>


On Sat, Mar 15, 2014 at 12:16:03AM +0000, Ryo ONODERA wrote:
> Module Name:  pkgsrc
> Committed By: ryoon
> Date:         Sat Mar 15 00:16:03 UTC 2014
> Modified Files:
>       pkgsrc/graphics/dcraw: Makefile distinfo
> Log Message:
> dcraw-9.20.tar.gz in distinfo, on, and on MASTER_SITES are
> different.

Did you check the difference what changed on the master site?

If not we need to first analyze if there is no issue with the new version
on the master site. There were in the past code changes in some other
packages where malicious code was added.


----- End forwarded message -----

Home | Main Index | Thread Index | Old Index