On 2018/08/24 11:59, Theo de Raadt wrote: > Marcus MERIGHI <[email protected]> wrote: > > > Hello, > > > > according to https://lwn.net/Articles/762264/ > > bzip.org is for sale and should not be trusted. > > > > The port currently has: > > > > HOMEPAGE= http://www.bzip.org/ > > MASTER_SITES= ${HOMEPAGE}${VERSION}/ > > > > The article above does not speak of a new home of bzip2. > > That's why the ports tree checks hashes and such: > > SHA256 (bzip2-1.0.6.tar.gz) = ooSPNPzV1s9H3vAEYfy1KKBITY7e+CCNbS4pCdxh2c0= > SIZE (bzip2-1.0.6.tar.gz) = 782025 > > If the new owners have the technology to violate those two trusts, > they'll be going after some more more signicant targets first... > > However whenever this port gets updated to a new hash, that is when > someone has to ensure things look legit. > > Of course, the non-trust case of files falling off the net is a different > conversation.. >
The distfile is no longer available at bzip.org so I've mirrored it and zapped the HOMEPAGE from the port while there.
