On Tue, May 21, 2002 at 15:18:14 -0700, Kris Kennaway wrote:
> On Tue, May 21, 2002 at 08:16:40AM -0700, Andrey A. Chernov wrote:
> > ache 2002/05/21 08:16:40 PDT
> >=20
> > Modified files:
> > security/drweb Makefile distinfo=20
> > security/drweb/files patch-aa patch-ab=20
> > Log:
> > Distfile re-rolled on official site
>=20
> Please summarize the diffs in the distfile in a followup commit.
Should I? We don't do that even for releases, why do that for silent=20
updates?
In that particular case I know some info, but in general I don't want to=20
do special research comparing two distributions byte-by-byte only because=
=20
developers are lazy enough to not explain their own minor updates.
--=20
Andrey A. Chernov
http://ache.pp.ru/
--82I3+IH0IqGh5yIs
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iQCVAwUBPOrfT+JgpPLZnQjrAQEcPwP/c6gmdgcHASp14nywbboy7xWBuSpP1+6K
WLbptwRL53FhMW/NA/hmQJDj+QdJw3D8dKbv7sT5+FS++PNPSMVwqTJrct2KK00f
ughHkJuCZFhYrrk9kjSMPeTpPicKdlp3wnbtWzmlLW4LTh5tDrmwwV3zj7SGbCbS
x3997b7FMsU=
=0ZGw
-----END PGP SIGNATURE-----
--82I3+IH0IqGh5yIs--
To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
On Wed, May 22, 2002 at 03:59:12AM +0400, Andrey A. Chernov wrote:
> On Tue, May 21, 2002 at 15:18:14 -0700, Kris Kennaway wrote:
> > On Tue, May 21, 2002 at 08:16:40AM -0700, Andrey A. Chernov wrote:
> > > ache 2002/05/21 08:16:40 PDT
> > >=20
> > > Modified files:
> > > security/drweb Makefile distinfo=20
> > > security/drweb/files patch-aa patch-ab=20
> > > Log:
> > > Distfile re-rolled on official site
> >=20
> > Please summarize the diffs in the distfile in a followup commit.
>=20
> Should I?
Yes; it's a rule we apply to all ports committers. Please see
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/committers-guide/ports.=
html#Q10.4.4.
> We don't do that even for releases, why do that for silent=20
> updates?
I don't want to go into this again, because the discussion has taken
place many times already. =20
> In that particular case I know some info, but in general I don't want to=
=20
> do special research comparing two distributions byte-by-byte only because=
=20
> developers are lazy enough to not explain their own minor updates.
It's not a very demanding requirement; just do a diff -ruN and inspect
the changes visually. If the changes are significant then just note
as such. The main thing you're looking for are changes which were
inserted into the distfile maliciously.
Kris
--2oS5YaxWCcQjTEyO
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE86uakWry0BWjoQKURAmEhAJ4qk78QLlgxNTlR7ezBmtHJ40DIxgCg+So4
ex/mOk7A1hQBHW6/GlmmMJ8=
=SngB
-----END PGP SIGNATURE-----
--2oS5YaxWCcQjTEyO--
On Tue, May 21, 2002 at 17:30:29 -0700, Kris Kennaway wrote:
> Yes; it's a rule we apply to all ports committers. Please see
>=20
> http://www.freebsd.org/doc/en_US.ISO8859-1/articles/committers-guide/port=
s.html#Q10.4.4.
I disagree with that. It seems this rule mix porter and security officer
tasks. As porter what I do I port application. As porter, I already check
that "distfile has not been corrupted". But it is security officer, who
must find out, if distfile is "maliciously altered", comparing differences
at whole and analyzing code with debugger, especially for _binary_ port
like drweb! It is security officer who must educate developer to not
re-roll their distfiles like written: "otherwise the author or maintainer
should be contacted to find out why the distfile has changed."
> It's not a very demanding requirement; just do a diff -ruN and inspect
> the changes visually. If the changes are significant then just note
> as such. The main thing you're looking for are changes which were
> inserted into the distfile maliciously.
The changes are:
drweb:
Binary daemon changed.
Config files changed.
drweb-sendmail:
*.o *.a removed
Config files changed.
It is what I find out during the porting. I have no time and energy to=20
detalize it more and I am not sure even that this list is complete!
--=20
Andrey A. Chernov
http://ache.pp.ru/
--wac7ysb48OaltWcw
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iQCVAwUBPOr/FeJgpPLZnQjrAQHq/gQAkvhjZKP8rb4x12e1U6+DV5w+0hPfMhMt
w6i45VHjiMDOzrMHph0KLXykS8cwMauVAG7HIJ1y2SBJHDoUtwo+Q7t8YYhYyvbY
ztGts6JbcS7ch/zys7/oItaeG+/imyb4dBsIBXe2ViiZb69/SFXYKa96CdXKt1Ck
K7YEjPku+PU=
=VRB/
-----END PGP SIGNATURE-----
--wac7ysb48OaltWcw--
You think the security officers is going to look at *EVERY* change
themselves? As a porter, you should *care* if your port is secure...
| > It's not a very demanding requirement; just do a diff -ruN and inspect
| > the changes visually. If the changes are significant then just note
| > as such. The main thing you're looking for are changes which were
| > inserted into the distfile maliciously.
|
| The changes are:
|
| drweb:
| Binary daemon changed.
| Config files changed.
|
| drweb-sendmail:
| *.o *.a removed
| Config files changed.
|
| It is what I find out during the porting. I have no time and energy to
| detalize it more and I am not sure even that this list is complete!
So, next time could you just say "the binary daemon changed [a minor
change to <whatever>], the default configs were updated, *.{o,a} files
were removed."
Reading a diff really isn't that hard...
--pete
--
Pete Fritchman [petef@(databits.net|freebsd.org|csh.rit.edu)]
finger pe...@databits.net for PGP key