SSHKeychain site is dead
Blair Zajac
blair at orcaware.com
Sat Oct 22 08:48:09 PDT 2011
Given it doesn't look like this feature is going away, why don't we have the
MacPorts tool that saves the tarball on macports.org get the source and tar/zip
it up. The filename can include the SCM type, URL, revision/hash number to
ensure uniqueness. Then we won't be stuck when something like this happens.
Blair
On 10/22/11 7:29 AM, Landon J Fuller wrote:
> The non-validated reproducibility of SCM-based fetching continues to grate on me years after I added the cvs fetch type ... and then immediately told everyone to not actually use it (it was provided for the KDE port maintainer's development use only, with big comments in the portfiles saying "don't use this!").
>
> That was a mistake of mine.
>
> I'd propose the possibly unpopular opinion that SCM fetching should not be used unless the fetched contents can be verified against maintainer-supplied hashes. The downside of this policy seems low -- some software that *should* produce a release anyway will require the maintainer to instead provide a proper archive of the validated sources, or support would have to be added for hashing SCM-provided files.
>
> The upside is that the files are validated, it's hard for upstream (or the maintainer) to slip in silent changes, and there's one less mechanism to be used to MITM someone running 'port upgrade outdated'.
>
> Otherwise, why are we bothering to supply hashes for the other software at all?
>
> -landonf
>
> On Oct 22, 2011, at 4:27 AM, Ryan Schmidt wrote:
>
>>
>> On Oct 21, 2011, at 23:09, Michael Crawford wrote:
>>
>>> For any ports for which you fetch from version control rather than
>>> downloading a tarball, I suggest that a cron job somewhere
>>> periodically fetch the latest code from the upstream version control,
>>> then make a tar backup.
>>>
>>> That way if their version control completely disappears you still have
>>> the source.
>>
>> The main server already does fetch each port as it's committed, in order to mirror the distfiles. It could perhaps be extended to tar up files fetched by ports that fetch from version control.
>>
>> Then again, if we implement #16373, maybe we get almost the same thing for free.
>>
>> https://trac.macports.org/ticket/16373
>>
>> _______________________________________________
>> macports-dev mailing list
>> macports-dev at lists.macosforge.org
>> http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
>
> _______________________________________________
> macports-dev mailing list
> macports-dev at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
>
--
Blair Zajac, Ph.D.
CTO, OrcaWare Technologies
<blair at orcaware.com>
Subversion training, consulting and support
http://www.orcaware.com/svn/
More information about the macports-dev
mailing list