search for: trjoan

...or all the other BSDs will have to chase checksums as > well. > > If you really want to remove the directory, ship a 3.2.1 tarball > rather than screwing all the downstream consumers who's > infrastructure exists to detect trojan'd tarballs. Tarball is signed, it is not trjoan. Your infrastructure should be able to deal with it? > > -- Brooks > Paweł

On Fri, Jan 11, 2013 at 09:33:17PM +0100, Benjamin Kramer wrote: > > On 11.01.2013, at 21:31, Justin Holewinski <justin.holewinski at gmail.com> wrote: > > > On Fri, Jan 11, 2013 at 3:26 PM, Benjamin Kramer <benny.kra at gmail.com> wrote: > > > > On 11.01.2013, at 07:36, ????????? (Wei-Ren Chen) <chenwj at iis.sinica.edu.tw> wrote: > > >

...ve to chase checksums as > > well. > > > > If you really want to remove the directory, ship a 3.2.1 tarball > > rather than screwing all the downstream consumers who's > > infrastructure exists to detect trojan'd tarballs. > > Tarball is signed, it is not trjoan. > Your infrastructure should be able to deal with it? > Many of these environments rely on checking against a known-good checksum. If a tarball is replaced at the source, that checksum changes. Once a release is cut, that particular release should never change. If a change is necessary, s...

...chase checksums as > > well. > > > > If you really want to remove the directory, ship a 3.2.1 tarball > > rather than screwing all the downstream consumers who's > > infrastructure exists to detect trojan'd tarballs. > > Tarball is signed, it is not trjoan. > Your infrastructure should be able to deal with it? The FreeBSD ports collection maintains a set of sha256 hashes for each distfile. The system can deal with them changing, but it's an inconvenience to port maintainers and users. Even if we did have infrastructure to verify the signatu...

...>> as well. >>> >>> If you really want to remove the directory, ship a 3.2.1 >>> tarball rather than screwing all the downstream consumers who's >>> infrastructure exists to detect trojan'd tarballs. >> >> Tarball is signed, it is not trjoan. Your infrastructure should >> be able to deal with it? > > The FreeBSD ports collection maintains a set of sha256 hashes for > each distfile. The system can deal with them changing, but it's > an inconvenience to port maintainers and users. Even if we did > have infras...

...;>>> >>>> If you really want to remove the directory, ship a 3.2.1 tarball >>>> rather than screwing all the downstream consumers who's >>>> infrastructure exists to detect trojan'd tarballs. >>> >>> Tarball is signed, it is not trjoan. >>> Your infrastructure should be able to deal with it? >>> >> >> Many of these environments rely on checking against a known-good checksum. >> If a tarball is replaced at the source, that checksum changes. Once a >> release is cut, that particular releas...

...s >>> well. >>> >>> If you really want to remove the directory, ship a 3.2.1 tarball >>> rather than screwing all the downstream consumers who's >>> infrastructure exists to detect trojan'd tarballs. >> >> Tarball is signed, it is not trjoan. >> Your infrastructure should be able to deal with it? >> > > Many of these environments rely on checking against a known-good checksum. > If a tarball is replaced at the source, that checksum changes. Once a > release is cut, that particular release should never change....

...>> as well. >>> >>> If you really want to remove the directory, ship a 3.2.1 >>> tarball rather than screwing all the downstream consumers who's >>> infrastructure exists to detect trojan'd tarballs. >> >> Tarball is signed, it is not trjoan. Your infrastructure should >> be able to deal with it? > > The FreeBSD ports collection maintains a set of sha256 hashes for > each distfile. The system can deal with them changing, but it's > an inconvenience to port maintainers and users. Even if we did > have infras...

...;> > >>> If you really want to remove the directory, ship a 3.2.1 > >>> tarball rather than screwing all the downstream consumers who's > >>> infrastructure exists to detect trojan'd tarballs. > >> > >> Tarball is signed, it is not trjoan. Your infrastructure should > >> be able to deal with it? > > > > The FreeBSD ports collection maintains a set of sha256 hashes for > > each distfile. The system can deal with them changing, but it's > > an inconvenience to port maintainers and users. Even i...

...t;>>> If you really want to remove the directory, ship a 3.2.1 tarball >>>>> rather than screwing all the downstream consumers who's >>>>> infrastructure exists to detect trojan'd tarballs. >>>> >>>> Tarball is signed, it is not trjoan. >>>> Your infrastructure should be able to deal with it? >>>> >>> >>> Many of these environments rely on checking against a known-good checksum. >>> If a tarball is replaced at the source, that checksum changes. Once a >>> release is cut...

...;>>> If you really want to remove the directory, ship a 3.2.1 >>>>> tarball rather than screwing all the downstream consumers who's >>>>> infrastructure exists to detect trojan'd tarballs. >>>> >>>> Tarball is signed, it is not trjoan. Your infrastructure should >>>> be able to deal with it? >>> >>> The FreeBSD ports collection maintains a set of sha256 hashes for >>> each distfile. The system can deal with them changing, but it's >>> an inconvenience to port maintainers and...

...really want to remove the directory, ship a 3.2.1 > >>>>> tarball rather than screwing all the downstream consumers who's > >>>>> infrastructure exists to detect trojan'd tarballs. > >>>> > >>>> Tarball is signed, it is not trjoan. Your infrastructure should > >>>> be able to deal with it? > >>> > >>> The FreeBSD ports collection maintains a set of sha256 hashes for > >>> each distfile. The system can deal with them changing, but it's > >>> an inconvenience...

...you really want to remove the directory, ship a 3.2.1 tarball >>>>>> rather than screwing all the downstream consumers who's >>>>>> infrastructure exists to detect trojan'd tarballs. >>>>> >>>>> Tarball is signed, it is not trjoan. >>>>> Your infrastructure should be able to deal with it? >>>>> >>>> >>>> Many of these environments rely on checking against a known-good checksum. >>>> If a tarball is replaced at the source, that checksum changes. Once a >&...