In D11274#233378, @miwi wrote:

What exactly was change?

Nothing was said about it

In D11274#233385, @joneum wrote:

In D11274#233378, @miwi wrote:

What exactly was change?

Nothing was said about it

Make a diff between old and new.

For all checksum mismatches we have to check carefully why it was change, could be always something bad happen .. exploits backdoor etc.

In D11274#233402, @miwi wrote:

In D11274#233385, @joneum wrote:

In D11274#233378, @miwi wrote:

What exactly was change?

Nothing was said about it

Make a diff between old and new.

For all checksum mismatches we have to check carefully why it was change, could be always something bad happen .. exploits backdoor etc.

really?

In D11274#233464, @joneum wrote:

In D11274#233402, @miwi wrote:

In D11274#233385, @joneum wrote:

In D11274#233378, @miwi wrote:

What exactly was change?

Nothing was said about it

Make a diff between old and new.

For all checksum mismatches we have to check carefully why it was change, could be always something bad happen .. exploits backdoor etc.

really?

Yes, thats why we have the checksum at all, not only to prevent download corruptions.

And it wouldn't be the first time, especially not for wordpress. Even their auto-update got hacked one time. There are many examples for upstream getting hacked. Since FreeBSD should be as secure as possible we do this kind of prevention. Especially because its also cheap to just do a diff.

In D11274#233500, @tz wrote:

In D11274#233464, @joneum wrote:

In D11274#233402, @miwi wrote:

In D11274#233385, @joneum wrote:

In D11274#233378, @miwi wrote:

What exactly was change?

Nothing was said about it

Make a diff between old and new.

For all checksum mismatches we have to check carefully why it was change, could be always something bad happen .. exploits backdoor etc.

really?

Yes, thats why we have the checksum at all, not only to prevent download corruptions.

And it wouldn't be the first time, especially not for wordpress. Even their auto-update got hacked one time. There are many examples for upstream getting hacked. Since FreeBSD should be as secure as possible we do this kind of prevention. Especially because its also cheap to just do a diff.

See me other comment here. I ask the wordpress team about his Problem. Answer: Yes, rerolled about change the packet. Now, why to check the files? On a other review it was okay, that the wordpress team give me the same information. Sorry, i don't understand, why on a other review it was okay, and now not.

There is a clear statement about what to do:
https://www.freebsd.org/doc/en/articles/committers-guide/ports.html#ports-qa-misc-updated-distfile

Quote:

When the checksum for a distribution file is updated due to the author updating the file without changing the port's revision, the commit message includes a summary of the relevant diffs between the original and new distfile to ensure that the distfile has not been corrupted or maliciously altered

Accepting anything other is obviously not correct.

In D11274#233502, @tz wrote:

There is a clear statement about what to do:
https://www.freebsd.org/doc/en/articles/committers-guide/ports.html#ports-qa-misc-updated-distfile

Quote:

When the checksum for a distribution file is updated due to the author updating the file without changing the port's revision, the commit message includes a summary of the relevant diffs between the original and new distfile to ensure that the distfile has not been corrupted or maliciously altered

Accepting anything other is obviously not correct.

Good point ... then i will do this...

But I hope that other committees will also draw attention to the fact that they do not stick to it