Re: CVS commit: pkgsrc/archivers/szip

To: pkgsrc-changes%NetBSD.org@localhost
Subject: Re: CVS commit: pkgsrc/archivers/szip
From: Alan Barrett <apb%cequrux.com@localhost>
Date: Sun, 20 Nov 2011 17:57:48 +0200

On Sun, 20 Nov 2011, John Marino wrote:

Yes, I guess it's possible that somebody hacked into thehdfgroup.org server, and replaced the source tarball with onewith a trojan in it after hdfgroup repacked the same tarball 3times before. But no, I did not do a line-by-line diff on allthe sources because primarily I didn't have the original source.It was no longer available (the entire reason it caught myattention.)

When you encounter a package whose distfile name stays the samewhile the distfile contents change, you should immediately bevery suspicious. If you can't compare the old and new distfilesbecause you don't have the old distfile, then you could askwhether anybody else has the old distfile.

If a particular upstream maintainer has a history of making suchchanges, then I think we should try extra hard to keep a stableversion of the distfile on a netbsd server.


--apb (Alan Barrett)

Follow-Ups:
- Re: CVS commit: pkgsrc/archivers/szip
  - From: David Holland

References:
- CVS commit: pkgsrc/archivers/szip
  - From: John Marino
- Re: CVS commit: pkgsrc/archivers/szip
  - From: Bernd Ernesti
- Re: CVS commit: pkgsrc/archivers/szip
  - From: John Marino
- Re: CVS commit: pkgsrc/archivers/szip
  - From: Bernd Ernesti
- Re: CVS commit: pkgsrc/archivers/szip
  - From: John Marino

Prev by Date: CVS commit: [pkgsrc-2011Q3] pkgsrc/doc
Next by Date: CVS commit: pkgsrc/pkgtools/tinderbox-dragonfly
Previous by Thread: Re: CVS commit: pkgsrc/archivers/szip
Next by Thread: Re: CVS commit: pkgsrc/archivers/szip
Indexes:

Home | Main Index | Thread Index | Old Index