Created attachment 265766 [details] testcase-fetched-file-no-fingerprint.tgz The attached sample port downloads and installs a file that isn't in DISTFILES and doesn't have a record in distinfo. In this example it downloads https://google.com/index.html and installs it as ${DATADIR}/possibly-malicious.html, but it can be any file. The files fetched in the fetch target but not listed in DISTFILES can be installed like this. I am not saying that there are malicious ports, but the ports framework enforces cryptographic fingerprints on all used distfiles, and this example uses a loophole and some files might not be fingerprinted. The following solution can solve the above problem: Poudriere should use a dedicated DISTDIR for each package build process. (1) Before the fetch: Poudriere would copy all declared DISTFILES (if they exist) from the common build directory into this dedicated directory. (2) After the fetch: Poudriere would check that there are no files in the dedicated directory that aren't declared in the DISTFILES file. (3) After the build: Poudriere would copy them back from the dedicated directory into a common directory.
Why does this work as intended? Why do we need distinfo at all if these files can be downloaded and used without fingerprints?
Because the framework lets anyone do stupid things. The reason we have committers, like you, or me, and not a simple "merge" button, is to make sure patches that are submitted by non committers don't do stupid things, or that if they do, they get fixed before being committed.