RFC: svn for make fetch
in [Ports]
|
Prev: Improving Ada support on FreeBSD and in the ports system
Next: New port: sysutils/megacli waiting to commit
From: RW on 10 Nov 2009 13:12 On Tue, 10 Nov 2009 12:32:28 +0200 Peter Pentchev <roam(a)ringlet.net> wrote: > The Ports Collection's distfile checksums make sure that you get > exactly the same files *as the port maintainer examined at some > previous moment in time*. More importantly it guards against maliciously modified source code. Someone might break into a legitimate mirror or use dns poisoning to distribute malware. _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: Xin LI on 10 Nov 2009 13:54 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eitan Adler wrote: > Correct me if I'm wrong but I thought that svn did its own checksumming. > If so why do we need to our own? "In God we trust, everyone else must have an X.509 certificate." Well, that's not necessarily be a X.509 certificate but it must be some form of signature, as it's not too hard to replace a specific revision in svn if the server gets compromised. Cheers, - -- Xin LI <delphij(a)delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) iEYEARECAAYFAkr5tssACgkQi+vbBBjt66BdpACdH5+RSlwKN10x8MiGFYiuX0dL L94An1N1uYCFUYJo0f0U2jZgqRK7emo1 =jFoS -----END PGP SIGNATURE----- _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: Eitan Adler on 10 Nov 2009 15:28 Alright - I updated the wiki page to summarize the thread so far. I'd appreciate if people could comment on the "spec" part specifically. I'd like to see that section become much more specific (so that I could use it to unambiguously write something based off of it) I'm holding off on writing any new implementations at the moment to see where things head in terms of how things should be done. http://wiki.freebsd.org/EitanAdler/ports-svn _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: Peter Pentchev on 10 Nov 2009 17:39 On Tue, Nov 10, 2009 at 06:12:40PM +0000, RW wrote: > On Tue, 10 Nov 2009 12:32:28 +0200 > Peter Pentchev <roam(a)ringlet.net> wrote: > > > > The Ports Collection's distfile checksums make sure that you get > > exactly the same files *as the port maintainer examined at some > > previous moment in time*. > > More importantly it guards against maliciously modified source code. > Someone might break into a legitimate mirror or use dns poisoning to > distribute malware. That's the whole point :) That's also why the maintainer is supposed to examine the files before submitting (or committing) a port update - to guard against source code that has been maliciously modified on the master sites (or on fake master sites that the maintainer has been redirected to). G'luck, Peter -- Peter Pentchev roam(a)ringlet.net roam(a)space.bg roam(a)FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 If wishes were fishes, the antecedent of this conditional would be true.
From: Eitan Adler on 12 Nov 2009 13:42
Any problems with something like this in bsd.svn.mk Comments and suggestions welcome... x-svn-export: svn export -r${SVN_REV} ${SVN_URL} ${WRKSRC} x-svn-tar: ${TAR} -cjvf ${DISTNAME}.tar.bz2 ${WRKSRC} ${RM} -rf ${WRKSRC} x-svn-head: SVN_REV != svn info ${SVN_URL} | grep "^Last Changed Rev:"|awk '${print $$4}' x-svn-all: .ORDER x-svn-head x-svn-export x-svn-tar makesum x-svn-prebuild: x-svn-export x-svn-tar checksum _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org" |