Re: ioquake3 support more platforms
Doug Barton wrote: > Dominic Fandrey wrote: >> But this is not the case we're talking about (I explained the process >> in sufficient detail, I think). I take an up to date snapshot, apply my >> patch set, make a couple of test builds and runs, update the patch set >> until everything works as expected. Than I wrap the whole thing (SVN >> snapshot and my patches) up in a tar.gz and upload it to an ftp server. > > Well then I misunderstood what was proposed, and I apologize for that. > What you described is supported, and some ports are already doing it. I'm really glad this is just a misunderstanding, I was about to panic. Regards -- A: Because it fouls the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ioquake3 support more platforms
Dominic Fandrey wrote: > But this is not the case we're talking about (I explained the process > in sufficient detail, I think). I take an up to date snapshot, apply my > patch set, make a couple of test builds and runs, update the patch set > until everything works as expected. Than I wrap the whole thing (SVN > snapshot and my patches) up in a tar.gz and upload it to an ftp server. Well then I misunderstood what was proposed, and I apologize for that. What you described is supported, and some ports are already doing it. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ioquake3 support more platforms
On Sat, Dec 19, 2009 at 04:02:31PM +0100, Dominic Fandrey wrote: > I don't see the wiggle room for anything spontaneously changing when > properly checksummed distfiles are involved. Alright, then I misread it. mcl ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ioquake3 support more platforms
b. f. wrote: >> On Fri, Dec 18, 2009 at 02:50:31PM +0100, Dominic Fandrey wrote: >>> So when I submitted ioquake3-1.36 I condemned some poor committer >>> to read 366609 lines of code? >> We expect them to test-install the initial code to make sure it's >> not malware. >> >> We expect them to scan the diffs to make sure the system isn't rooted. > >> What's your alternate suggestion? Just let everyone commit whatever >> they want and hope for the best? > > Aren't the two of you talking at cross-purposes here? It seems to me > that the OP is looking for a way to update a port to a distfile > created from a snapshot of project sources -- not in the sense of > sources that are recreated each and every build by fetching a snapshot > from a remote VCS, but an actual tarball that has been audited, > checksummed, and uploaded to a project server. Surely this is needed > for a few ports, including some now in the tree? I have the same impression. I'm wondering how this could be the case. In the OP I wrote: > I'm providing distfiles, ... I don't see the wiggle room for anything spontaneously changing when properly checksummed distfiles are involved. -- A: Because it fouls the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ioquake3 support more platforms
Doug Barton wrote: > Dominic Fandrey wrote: >> But that's not different for any port. E.g. sysutils/bsdadminscripts is >> all mine, I create the distfiles and maintain the port, their is no >> guarantee that I don't do evil apart from me being quite certain that >> I don't. > > Mark already pointed out that maintainers and committers actually _do_ > have a responsibility to dig into changes, be knowledgeable about > upgrades, etc. I agree with his perspective on this. > >> Why can one assume that an ioquake release is safe? One really cannot. >> It's made by the same people who maintain the non-trustworthy SVN. >> >> What if I created a sourceforge project freebsd-ioquake and published >> my distfiles there as ioquake freebsd releases. Would it suddenly >> turn trustworthy? > > The security problems involved in trying to audit a fixed, known set > of files are miniscule compared to the problems involved in auditing a > set of files that can change on a minute by minute basis. The whole > concept of creating a FreeBSD port that checks source files out of a > third-party svn repository is anathema to the whole concept of ports > security. Even if the files were directly checked out from SVN, they'd be checked out from a tested point in time. But this is not the case we're talking about (I explained the process in sufficient detail, I think). I take an up to date snapshot, apply my patch set, make a couple of test builds and runs, update the patch set until everything works as expected. Than I wrap the whole thing (SVN snapshot and my patches) up in a tar.gz and upload it to an ftp server. There's no danger that anything changes. I'm not about to break md5 and sha256. -- A: Because it fouls the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ioquake3 support more platforms
Dominic Fandrey wrote: > But that's not different for any port. E.g. sysutils/bsdadminscripts is > all mine, I create the distfiles and maintain the port, their is no > guarantee that I don't do evil apart from me being quite certain that > I don't. Mark already pointed out that maintainers and committers actually _do_ have a responsibility to dig into changes, be knowledgeable about upgrades, etc. I agree with his perspective on this. > Why can one assume that an ioquake release is safe? One really cannot. > It's made by the same people who maintain the non-trustworthy SVN. > > What if I created a sourceforge project freebsd-ioquake and published > my distfiles there as ioquake freebsd releases. Would it suddenly > turn trustworthy? The security problems involved in trying to audit a fixed, known set of files are miniscule compared to the problems involved in auditing a set of files that can change on a minute by minute basis. The whole concept of creating a FreeBSD port that checks source files out of a third-party svn repository is anathema to the whole concept of ports security. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ioquake3 support more platforms
>On Fri, Dec 18, 2009 at 02:50:31PM +0100, Dominic Fandrey wrote: >> So when I submitted ioquake3-1.36 I condemned some poor committer >> to read 366609 lines of code? > >We expect them to test-install the initial code to make sure it's >not malware. > >We expect them to scan the diffs to make sure the system isn't rooted. >What's your alternate suggestion? Just let everyone commit whatever >they want and hope for the best? Aren't the two of you talking at cross-purposes here? It seems to me that the OP is looking for a way to update a port to a distfile created from a snapshot of project sources -- not in the sense of sources that are recreated each and every build by fetching a snapshot from a remote VCS, but an actual tarball that has been audited, checksummed, and uploaded to a project server. Surely this is needed for a few ports, including some now in the tree? Regards, b. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ioquake3 support more platforms
On Fri, Dec 18, 2009 at 02:50:31PM +0100, Dominic Fandrey wrote: > So when I submitted ioquake3-1.36 I condemned some poor committer > to read 366609 lines of code? We expect them to test-install the initial code to make sure it's not malware. We expect them to scan the diffs to make sure the system isn't rooted. What's your alternate suggestion? Just let everyone commit whatever they want and hope for the best? mcl ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ioquake3 support more platforms
Mark Linimon wrote: > On Fri, Dec 18, 2009 at 01:43:20PM +0100, Dominic Fandrey wrote: >> Are committers really supposed to read the code? > > Yes. So when I submitted ioquake3-1.36 I condemned some poor committer to read 366609 lines of code? ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ioquake3 support more platforms
On Fri, Dec 18, 2009 at 01:43:20PM +0100, Dominic Fandrey wrote: > Are committers really supposed to read the code? Yes. mcl ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ioquake3 support more platforms
Mark Linimon wrote: > On Fri, Dec 18, 2009 at 12:31:38PM +0100, Dominic Fandrey wrote: >> But that's not different for any port. E.g. sysutils/bsdadminscripts is >> all mine, I create the distfiles and maintain the port, their is no >> guarantee that I don't do evil apart from me being quite certain that >> I don't. > > Sure there is. That's why we have ports committers. They are supposed > to audit the changes to the port to make sure that the changes are safe. > In particular, I expect that they check that the changes are not so > extensive that they indicate the distributing system has been hacked. Are committers really supposed to read the code? I find that highly improbable, even for my shell scripts that only consist of a couple KBs of code. > >> Why can one assume that an ioquake release is safe? One really cannot. >> It's made by the same people who maintain the non-trustworthy SVN. > > There's no such check as the above possible with checkouts from a source > control system. You get whatever is on that box at time T. And I'm checking what those changes are to keep this stuff running on FreeBSD. The ioquake3 project doesn't hand commit right to everyone. Look at the e17 ports. Someone takes SVN snapshots, fixes them up for FreeBSD and bundles them as distfiles. It's exactly the same process I use for ioquake3, but no one thinks the ports are untrustworthy. >> Also it's a -devel port. That kinda screams "At your own risk" right >> into your face. > > And NO_PACKAGES would further guarantee it. I don't see that. But I see a lot of disadvantages. E.g. ioquake releases only occur every couple of years. Long before the next release occurs it might not make sense to maintain the last release, because it's simply depending on a lot of outdated infrastructure. Regards ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ioquake3 support more platforms
On Fri, Dec 18, 2009 at 12:31:38PM +0100, Dominic Fandrey wrote: > But that's not different for any port. E.g. sysutils/bsdadminscripts is > all mine, I create the distfiles and maintain the port, their is no > guarantee that I don't do evil apart from me being quite certain that > I don't. Sure there is. That's why we have ports committers. They are supposed to audit the changes to the port to make sure that the changes are safe. In particular, I expect that they check that the changes are not so extensive that they indicate the distributing system has been hacked. > Why can one assume that an ioquake release is safe? One really cannot. > It's made by the same people who maintain the non-trustworthy SVN. There's no such check as the above possible with checkouts from a source control system. You get whatever is on that box at time T. > Also it's a -devel port. That kinda screams "At your own risk" right > into your face. And NO_PACKAGES would further guarantee it. mcl ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ioquake3 support more platforms
Mark Linimon wrote: > On Thu, Dec 17, 2009 at 04:48:43PM +0100, Dominic Fandrey wrote: >> A committer explained to me that he doesn't want to deal with SVN >> snapshot based ports. Is that a common attitude and what should >> I do to remedy this? > > Well, the problem is that we (FreeBSD) can't guarantee whether the > contents of a resulting package are secure or not, or really, what > the contents are at all. I personally would only be comfortable with > a default setting of NO_PACKAGE in this case. Individual users could > manually override it. But that's not different for any port. E.g. sysutils/bsdadminscripts is all mine, I create the distfiles and maintain the port, their is no guarantee that I don't do evil apart from me being quite certain that I don't. Why can one assume that an ioquake release is safe? One really cannot. It's made by the same people who maintain the non-trustworthy SVN. What if I created a sourceforge project freebsd-ioquake and published my distfiles there as ioquake freebsd releases. Would it suddenly turn trustworthy? Also it's a -devel port. That kinda screams "At your own risk" right into your face. > I don't know if there is a formal policy about such ports. Probably, > there ought to be. I think there can be no guarantee given for anything whatsoever. So I do not see how a policy could be useful. -- A: Because it fouls the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ioquake3 support more platforms
On Thu, Dec 17, 2009 at 04:48:43PM +0100, Dominic Fandrey wrote: > A committer explained to me that he doesn't want to deal with SVN > snapshot based ports. Is that a common attitude and what should > I do to remedy this? Well, the problem is that we (FreeBSD) can't guarantee whether the contents of a resulting package are secure or not, or really, what the contents are at all. I personally would only be comfortable with a default setting of NO_PACKAGE in this case. Individual users could manually override it. I don't know if there is a formal policy about such ports. Probably, there ought to be. mcl ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"