SSHKeychain site is dead

Landon J Fuller landonf at macports.org
Sat Oct 22 07:29:59 PDT 2011


The non-validated reproducibility of SCM-based fetching continues to grate on me years after I added the cvs fetch type ... and then immediately told everyone to not actually use it (it was provided for the KDE port maintainer's development use only, with big comments in the portfiles saying "don't use this!").

That was a mistake of mine.

I'd propose the possibly unpopular opinion that SCM fetching should not be used unless the fetched contents can be verified against maintainer-supplied hashes. The downside of this policy seems low -- some software that *should* produce a release anyway will require the maintainer to instead provide a proper archive of the validated sources, or support would have to be added for hashing SCM-provided files.

The upside is that the files are validated, it's hard for upstream (or the maintainer) to slip in silent changes, and there's one less mechanism to be used to MITM someone running 'port upgrade outdated'.

Otherwise, why are we bothering to supply hashes for the other software at all?

-landonf

On Oct 22, 2011, at 4:27 AM, Ryan Schmidt wrote:

> 
> On Oct 21, 2011, at 23:09, Michael Crawford wrote:
> 
>> For any ports for which you fetch from version control rather than
>> downloading a tarball, I suggest that a cron job somewhere
>> periodically fetch the latest code from the upstream version control,
>> then make a tar backup.
>> 
>> That way if their version control completely disappears you still have
>> the source.
> 
> The main server already does fetch each port as it's committed, in order to mirror the distfiles. It could perhaps be extended to tar up files fetched by ports that fetch from version control.
> 
> Then again, if we implement #16373, maybe we get almost the same thing for free.
> 
> https://trac.macports.org/ticket/16373
> 
> _______________________________________________
> macports-dev mailing list
> macports-dev at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev



More information about the macports-dev mailing list