On Sunday, June 22, 2014 22:31:50 [email protected] wrote: > The IGNOREFILES+IGNORE mechanism allows port maintainers to > disable checksum checks. I feel that this mechanism is a stain > on an otherwise fantastic ports system. It reduces user > confidence in security and makes us all sitting ducks for > sophisticated adversaries.
Er. There's nothing stopping a port maintainer from saying "Sorry, the distfiles aren't fetchable from the master sites any more, I can host a copy" and then host a malicious distfile. Or doing any number of simpler things to cause a problem. The Project doesn't have the resources to audit every single distfile's code. If you're that paranoid, you're welcome to do so yourself. -- Chris Nehren
signature.asc
Description: This is a digitally signed message part.
