From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: State of affairs at lynis 3.0.6 (was: Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream) Date: Sat, 23 Oct 2021 19:31:32 +0200 Message-ID: <112180b6-3d35-f6fa-bb94-13a8ba0e52c6@ipfire.org> In-Reply-To: <1a22ab81-2fce-4772-ec66-3f8edc6d5e19@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0234282756361933975==" List-Id: --===============0234282756361933975== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi All, To get the lynis-3.0.5 signature the only way I found to get it was to select= the 3.0.6 signature button which gives the 404 error and then edit the url t= o 3.0.5 Using that 3.0.5 signature with the lynis-3.0.5 file from github gives a Bad = Signature result. So then I had to download 3.0.5 from the website, again by editing the url to= 3.0.5 then I was able to get a good signature result. So even with 3.0.5 there is a mismatch between the https://downloads.cisofy.c= om/lynis/lynis-3.0.6.tar.gz on the website and the https://github.com/CISOfy/= lynis/releases/tag/3.0.5 version in github. How do we know that the version that is in the https://downloads.cisofy.com/l= ynis/ website is the correct version. Do we just have to assume that because = the other version is in github it *must* be the wrong one!! Regards, Adolf. On 23/10/2021 19:06, Adolf Belka wrote: > Hi Peter, > > On 23/10/2021 18:36, Peter M=C3=BCller wrote: >> Hello *, >> >> trying to work through volume 5 of 100 of my TODO list, I stumbled across = Lynis 3.0.6 >> once again. Since Packet Storm returned different source code files for ev= ery download >> attempt, Arne reverted Adolf's patch in https://git.ipfire.org/?p=3Dipfire= -2.x.git;a=3Dcommit;h=3D55cb5e9324dbec88cac9581930aaee4e3a598a9b. >> >> Meanwhile, things have changed: Packet Storm now seems to return the same = file every >> time, no matter where the HTTPS request comes from. Checksums of the downl= oaded file >> also match the .tar.gz available at https://downloads.cisofy.com/lynis/lyn= is-3.0.6.tar.gz, >> while GitHub still offers a different version: >> >>> $ md5sum lynis-3.0.6.tar.gz-* >>> 23cc369984d564e4a8232473b1ace137=C2=A0 lynis-3.0.6.tar.gz-cisofy >>> c5429c532653a762a55a994d565372aa=C2=A0 lynis-3.0.6.tar.gz-github >>> 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz-packetstorm >> Worse, CISOfy used do digitally sign releases, but https://downloads.cisof= y.com/lynis/lynis-3.0.6.tar.gz.asc >> just shows a 404 to me - while PGP signatures for previous releases are pr= esent. This >> is bad, and does not look like they are taking security serious there. :-/ >> >> Therefore, I would vote for not updating to Lynis 3.0.6 at the moment. Ver= sion 3.0.5 >> looks fine to me, at least it has a valid PGP signature. Let's hope the Ly= nis folks >> get their stuff sorted soon - preferably before releasing version 3.0.7. > > I will then redo my lynis patch to update to 3.0.5 and supersede the previo= us version. > > Adolf. > >> Thanks, and best regards, >> Peter M=C3=BCller --===============0234282756361933975==--