The review process and guidelines as outlined in the Porter's Handbook - it amounts to making sure the software compiles, runs, and installs properly on a recent FreeBSD system. That alone is quite a bit of work. Hosting the source tarballs is a plenty important detail in the development process. Apple and Microsoft do bother to have that detail buttoned down much more tightly than Free Software world. And in case you forgot, security is a tradeoff between convenience and pedantism
oh? looks like you completely ignored what goes into
MASTER_SITES section of a port's Makefile... It's not vetted beyond making sure the tarball actually existng at the URL... Do you seriously think that FreeBSD maintains some kind of whitelist of vetted sites where it's OK to look for a source tarball? ? That's only for tarballs that got dumped into distcache.freebsd.org... do you seriously think that freebsd.org is even designed to scan every single tarball that any given user's system requests (via the ports system) ??? freebsd.org is not Google, come on...
I'm sorry, but that checksum is only used to verify the size of the tarball... and it's definitely NOT controlled by freebsd.org... I realize that we're not on the same page about how the ports infrastructure even works.
If a source tarball (which my system downloads via the Makefile call from a
MASTER_SITES random source without ever checking in with freebsd.org, BTW) has a size mismatch, and does NOT pass the md5sum checksum, did that file reach my system? Does freebsd.org even know I even tried to download that specific tarball? Buddy, my copy of the ports system has no reason to call home!Eh? All I've done is tested 14.0-RELEASE, which is supposed to be the very latest, stable, fully working release on an intel cpu laptop using the intel integrated gpu, which is by far the most common, base level hardware platform anyone is likely to use. And being a thinkpad pretty much as industry standard a laptop as you can get, not some crazy alienware type thing with arcane hardware. Now you say I am 'generalising?' And someone else on here (eternalnoob) said he tried the same test on his r-Pi which is ARM and said it's broken there too?
Nobody inspects anything in the ports. (I maintain a couple of ports, by the way.) My most recent source of disappointment is editors/lapce with its oh so very convenient plugin download feature. That is, it downloads compiled binaries, there is no sandboxing and I suspect no vetting either.
I don't think that's right. Here is a snippet of Mk/Scripts/checksum.sh where we can see that checksum verification applies to each distfile's contents.
if [ -f "${dp_DISTINFO_FILE}" ]; then
cd "${dp_DISTDIR}"
OK=
refetchlist=
for file in "${@}"; do
ignored="true"
for alg in ${dp_CHECKSUM_ALGORITHMS}; do
ignore="false"
eval "alg_executable=\$dp_${alg}"
if [ "$alg_executable" != "NO" ]; then
MKSUM=$($alg_executable < "${file}")
CKSUM=$(distinfo_data "${alg}" "${file}")
else
ignore="true"
fi
if [ $ignore = "false" -a -z "$CKSUM" ]; then
${dp_ECHO_MSG} "=> No $alg checksum recorded for $file."
ignore="true"
fi
if [ $ignore != "false" ]; then
continue
fi
match="false"
for chksum in $CKSUM; do
if [ "$chksum" = "$MKSUM" ]; then
match="true"
break
fi
doneWell, when I saying that, I obviously meant 'any source distfile(s) downloaded by the port'. Yeah, distfiles come in different formats that the ports infrastructure needs to be able to deal with. Guarding against size mismatch (or lack of a reported distfile size, as per your script) is just one of many ways to check that the port downloaded the correct thing.
MASTER_SITES section), you'd find what I'm basing that statement on.
For 2024 there is lot more scope for development in improving color, style ,theme etc and few for fast changing hardware side. Lot of software/packages are required for only easy visual/graphics way.
Only reason is that it is not discussed in generally available popular channels. It is not 'ready to use' after install. You have to have some basic command line aptitude and ready to solve problems. That is why it is not popular among dev's . If we study the percentage use case of MS is only their business policy and PR. Though opensource OS is 'free', the big commercial/educational houses and government go for the easy way.
In an ideal world, maybe. Everytime? No.
Just wrong. Every single port committer has ALL alarm bells ringing when a distfile just changes for no obvious reason. And in practice, this happens rarely of course.
Cool that you KNOW and TRUST everyone committing to ports. I don't.
Then you probably shouldn't use anything created/maintained by anyone you don't know personally?
Which is related to changing 3rd-party distfiles ... how?Ars Technica article focused on Wireguard regarding FreeBSD
https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/ This article is kind of negative, but I don't know what to make of it. The title says it's about FreeBSD, but it's really focused on something related to Wireguard for criticisms of...forums.FreeBSD.org
useful to know; one to avoid!
Just a couple more reasons to avoid.
