On Tue, Nov 10, 2009 at 06:12:40PM +0000, RW wrote: > On Tue, 10 Nov 2009 12:32:28 +0200 > Peter Pentchev <r...@ringlet.net> wrote: > > > > The Ports Collection's distfile checksums make sure that you get > > exactly the same files *as the port maintainer examined at some > > previous moment in time*. > > More importantly it guards against maliciously modified source code. > Someone might break into a legitimate mirror or use dns poisoning to > distribute malware.
That's the whole point :) That's also why the maintainer is supposed to examine the files before submitting (or committing) a port update - to guard against source code that has been maliciously modified on the master sites (or on fake master sites that the maintainer has been redirected to). G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@space.bg r...@freebsd.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 If wishes were fishes, the antecedent of this conditional would be true.
pgpIONgN43NT0.pgp
Description: PGP signature
