Re: Updating distinfo without checking the content

[Ryo ONODERA <ryo_on%yk.rim.or.jp@localhost>]

Hi,

From: Bernd Ernesti <netbsd%lists.veego.de@localhost>, Date: Sat, 22 Mar 2014 
18:20:55 +0100

> Hi,
> 
> what do others think about this problem?
> 
> Without checking the binary this can be a security issue.

Sorry for late reply.
I will check the difference between silently replaced tarballs
in next time.

Thank you.


> Bernd
> 
> ----- Forwarded message from Bernd Ernesti <netbsd%lists.veego.de@localhost> 
> -----
> 
> Date: Sat, 15 Mar 2014 08:37:29 +0100
> From: Bernd Ernesti <netbsd%lists.veego.de@localhost>
> Subject: Re: CVS commit: pkgsrc/graphics/dcraw
> To: Ryo ONODERA <ryoon%netbsd.org@localhost>
> Cc: pkgsrc-changes%NetBSD.org@localhost
> References: <20140315001603.9843396%cvs.netbsd.org@localhost>
> 
> Hi,
> 
> On Sat, Mar 15, 2014 at 12:16:03AM +0000, Ryo ONODERA wrote:
>> Module Name: pkgsrc
>> Committed By:        ryoon
>> Date:                Sat Mar 15 00:16:03 UTC 2014
>> 
>> Modified Files:
>>      pkgsrc/graphics/dcraw: Makefile distinfo
>> 
>> Log Message:
>> Set DIST_SUBDIR
>> dcraw-9.20.tar.gz in distinfo, on ftp.NetBSD.org, and on MASTER_SITES are
>> different.
> 
> Did you check the difference what changed on the master site?
> 
> If not we need to first analyze if there is no issue with the new version
> on the master site. There were in the past code changes in some other
> packages where malicious code was added.
> 
> Bernd
> 
> 
> ----- End forwarded message -----

--
Ryo ONODERA // ryo_on%yk.rim.or.jp@localhost
PGP fingerprint = 82A2 DC91 76E0 A10A 8ABB  FD1B F404 27FA C7D1 15F3