Re: CVS commit: pkgsrc/archivers/szip

To: pkgsrc-changes%NetBSD.org@localhost
Subject: Re: CVS commit: pkgsrc/archivers/szip
From: John Marino <netbsd%marino.st@localhost>
Date: Sun, 20 Nov 2011 17:37:23 +0100

On 11/20/2011 4:57 PM, Alan Barrett wrote:

On Sun, 20 Nov 2011, John Marino wrote:

Yes, I guess it's possible that somebody hacked into the hdfgroup.org
server, and replaced the source tarball with one with a trojan in it
after hdfgroup repacked the same tarball 3 times before.  But no, I
did not do a line-by-line diff on all the sources because primarily I
didn't have the original source. It was no longer available (the
entire reason it caught my attention.)


When you encounter a package whose distfile name stays the same while
the distfile contents change, you should immediately be very
suspicious.  If you can't compare the old and new distfiles because
you don't have the old distfile, then you could ask whether anybody
else has the old distfile.

If a particular upstream maintainer has a history of making such
changes, then I think we should try extra hard to keep a stable
version of the distfile on a netbsd server.

--apb (Alan Barrett)

My guess is that there is the old version on a netbsd server somewhere.
But the package retrieved the file from the primary mastersite and it
failed checksum as you'd expect.  So unless the user found the netbsd
server and downloaded it manually, they wouldn't be able to build it.

It's a fair comment about suspicion, but if it's the standard MO for a
particular source, then it's not "highly suspicious", it's rather
normal.  Yes, that's the easiest situation to take advantage of.  I was
just trying to fix a broken package that had been broken for the exact
same reasons in the past.  I did not become suspicious, only annoyed.

Now, in reality, what is the most effective way to handle this
situation?  I could have opened a PR, but I suspect it would become part
of the other thousands of PRs that get no attention.  Post on tech-pkg?
Or still take it on myself to do, but make sure I somehow get the
original tarball?
Once I have the original tarball, what would I be looking for wrt to
"suspicious" code?  Files outside the LOCALBASE?  A line-by-line review
is bit over the top in the case, no?  Or is it?

John

Prev by Date: CVS commit: pkgsrc/pkgtools/tinderbox-dragonfly
Next by Date: CVS commit: pkgsrc/audio/daapd
Previous by Thread: CVS commit: pkgsrc/pkgtools/tinderbox-dragonfly
Next by Thread: CVS commit: pkgsrc/audio/daapd
Indexes:

Home | Main Index | Thread Index | Old Index