[144262] trunk/dports/lang/py-htmldocs/Portfile

Ryan Schmidt ryandesign at macports.org
Wed Jan 6 15:44:38 PST 2016


On Jan 6, 2016, at 4:44 AM, Russell Jones wrote:

> I was thinking you might use git+https://github.com/python/cpython.git/Doc with a set checkout id using the GitHub PortGroup, but that would require building the docs.
> 
> How about using https://docs.python.org and relying on python.org's SSL cert to ensure the integrity rather than the MacPorts checksum?

An SSL certificate does not guarantee the user is getting the same files the maintainer did. It only guarantees the user is talking to the same server. The server could be compromised, or (as is the case here) the developers could issue stealth updates.


One solution is to let the MacPorts distfiles mirror mirror the file, then switch the portfile to only look at the distfiles mirror, not the original server. This would need to be done every time you update the port. See the history of the graphviz-devel port for an example of this; their automated tarball generation system was recently changed and it now sometimes inadvertently repackages the current version with a stealth update. If this is going to happen often, as seems to be the case with py-htmldocs, it can be automated in the Portfile, to a degree. See the curl-ca-bundle subport of the curl port for an example of that. 

The ideal would be to work with the developers to convince them not to issue stealth updates.




More information about the macports-dev mailing list