Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

cvs commit: ports/security/drweb Makefile distinfo ports/security/drweb/files patch-aa patch-ab

1 view
Skip to first unread message

Andrey A. Chernov

unread,
May 21, 2002, 8:00:38 PM5/21/02
to

--82I3+IH0IqGh5yIs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, May 21, 2002 at 15:18:14 -0700, Kris Kennaway wrote:
> On Tue, May 21, 2002 at 08:16:40AM -0700, Andrey A. Chernov wrote:
> > ache 2002/05/21 08:16:40 PDT
> >=20
> > Modified files:
> > security/drweb Makefile distinfo=20
> > security/drweb/files patch-aa patch-ab=20
> > Log:
> > Distfile re-rolled on official site
>=20
> Please summarize the diffs in the distfile in a followup commit.

Should I? We don't do that even for releases, why do that for silent=20
updates?

In that particular case I know some info, but in general I don't want to=20
do special research comparing two distributions byte-by-byte only because=
=20
developers are lazy enough to not explain their own minor updates.

--=20
Andrey A. Chernov
http://ache.pp.ru/

--82I3+IH0IqGh5yIs
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPOrfT+JgpPLZnQjrAQEcPwP/c6gmdgcHASp14nywbboy7xWBuSpP1+6K
WLbptwRL53FhMW/NA/hmQJDj+QdJw3D8dKbv7sT5+FS++PNPSMVwqTJrct2KK00f
ughHkJuCZFhYrrk9kjSMPeTpPicKdlp3wnbtWzmlLW4LTh5tDrmwwV3zj7SGbCbS
x3997b7FMsU=
=0ZGw
-----END PGP SIGNATURE-----

--82I3+IH0IqGh5yIs--

To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Kris Kennaway

unread,
May 21, 2002, 8:31:22 PM5/21/02
to

--2oS5YaxWCcQjTEyO

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, May 22, 2002 at 03:59:12AM +0400, Andrey A. Chernov wrote:
> On Tue, May 21, 2002 at 15:18:14 -0700, Kris Kennaway wrote:
> > On Tue, May 21, 2002 at 08:16:40AM -0700, Andrey A. Chernov wrote:
> > > ache 2002/05/21 08:16:40 PDT
> > >=20
> > > Modified files:
> > > security/drweb Makefile distinfo=20
> > > security/drweb/files patch-aa patch-ab=20
> > > Log:
> > > Distfile re-rolled on official site
> >=20
> > Please summarize the diffs in the distfile in a followup commit.

>=20
> Should I?

Yes; it's a rule we apply to all ports committers. Please see

http://www.freebsd.org/doc/en_US.ISO8859-1/articles/committers-guide/ports.=
html#Q10.4.4.

> We don't do that even for releases, why do that for silent=20
> updates?

I don't want to go into this again, because the discussion has taken
place many times already. =20

> In that particular case I know some info, but in general I don't want to=
=20
> do special research comparing two distributions byte-by-byte only because=
=20
> developers are lazy enough to not explain their own minor updates.

It's not a very demanding requirement; just do a diff -ruN and inspect
the changes visually. If the changes are significant then just note
as such. The main thing you're looking for are changes which were
inserted into the distfile maliciously.

Kris

--2oS5YaxWCcQjTEyO
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE86uakWry0BWjoQKURAmEhAJ4qk78QLlgxNTlR7ezBmtHJ40DIxgCg+So4
ex/mOk7A1hQBHW6/GlmmMJ8=
=SngB
-----END PGP SIGNATURE-----

--2oS5YaxWCcQjTEyO--

Andrey A. Chernov

unread,
May 21, 2002, 10:16:06 PM5/21/02
to

--wac7ysb48OaltWcw

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, May 21, 2002 at 17:30:29 -0700, Kris Kennaway wrote:

> Yes; it's a rule we apply to all ports committers. Please see

>=20
> http://www.freebsd.org/doc/en_US.ISO8859-1/articles/committers-guide/port=
s.html#Q10.4.4.

I disagree with that. It seems this rule mix porter and security officer
tasks. As porter what I do I port application. As porter, I already check
that "distfile has not been corrupted". But it is security officer, who
must find out, if distfile is "maliciously altered", comparing differences
at whole and analyzing code with debugger, especially for _binary_ port
like drweb! It is security officer who must educate developer to not
re-roll their distfiles like written: "otherwise the author or maintainer
should be contacted to find out why the distfile has changed."

> It's not a very demanding requirement; just do a diff -ruN and inspect
> the changes visually. If the changes are significant then just note
> as such. The main thing you're looking for are changes which were
> inserted into the distfile maliciously.

The changes are:

drweb:
Binary daemon changed.
Config files changed.

drweb-sendmail:
*.o *.a removed
Config files changed.

It is what I find out during the porting. I have no time and energy to=20
detalize it more and I am not sure even that this list is complete!

--=20
Andrey A. Chernov
http://ache.pp.ru/

--wac7ysb48OaltWcw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPOr/FeJgpPLZnQjrAQHq/gQAkvhjZKP8rb4x12e1U6+DV5w+0hPfMhMt
w6i45VHjiMDOzrMHph0KLXykS8cwMauVAG7HIJ1y2SBJHDoUtwo+Q7t8YYhYyvbY
ztGts6JbcS7ch/zys7/oItaeG+/imyb4dBsIBXe2ViiZb69/SFXYKa96CdXKt1Ck
K7YEjPku+PU=
=VRB/
-----END PGP SIGNATURE-----

--wac7ysb48OaltWcw--

Pete Fritchman

unread,
May 22, 2002, 12:33:52 AM5/22/02
to
++ 22/05/02 06:14 +0400 - Andrey A. Chernov:

| On Tue, May 21, 2002 at 17:30:29 -0700, Kris Kennaway wrote:
|
| > Yes; it's a rule we apply to all ports committers. Please see
| >
| > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/committers-guide/ports.html#Q10.4.4.

|
| I disagree with that. It seems this rule mix porter and security officer
| tasks. As porter what I do I port application. As porter, I already check
| that "distfile has not been corrupted". But it is security officer, who
| must find out, if distfile is "maliciously altered", comparing differences
| at whole and analyzing code with debugger, especially for _binary_ port
| like drweb! It is security officer who must educate developer to not
| re-roll their distfiles like written: "otherwise the author or maintainer
| should be contacted to find out why the distfile has changed."

You think the security officers is going to look at *EVERY* change
themselves? As a porter, you should *care* if your port is secure...

| > It's not a very demanding requirement; just do a diff -ruN and inspect
| > the changes visually. If the changes are significant then just note
| > as such. The main thing you're looking for are changes which were
| > inserted into the distfile maliciously.
|
| The changes are:
|
| drweb:
| Binary daemon changed.
| Config files changed.
|
| drweb-sendmail:
| *.o *.a removed
| Config files changed.
|
| It is what I find out during the porting. I have no time and energy to

| detalize it more and I am not sure even that this list is complete!

So, next time could you just say "the binary daemon changed [a minor
change to <whatever>], the default configs were updated, *.{o,a} files
were removed."

Reading a diff really isn't that hard...

--pete

--
Pete Fritchman [petef@(databits.net|freebsd.org|csh.rit.edu)]
finger pe...@databits.net for PGP key

0 new messages