Hi Peter,

On 23/10/2021 18:36, Peter Müller wrote:
> Hello *,
>
> trying to work through volume 5 of 100 of my TODO list, I stumbled across Lynis 3.0.6
> once again. Since Packet Storm returned different source code files for every download
> attempt, Arne reverted Adolf's patch in https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=55cb5e9324dbec88cac9581930aaee4e3a598a9b.
>
> Meanwhile, things have changed: Packet Storm now seems to return the same file every
> time, no matter where the HTTPS request comes from. Checksums of the downloaded file
> also match the .tar.gz available at https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz,
> while GitHub still offers a different version:
>
>> $ md5sum lynis-3.0.6.tar.gz-*
>> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz-cisofy
>> c5429c532653a762a55a994d565372aa  lynis-3.0.6.tar.gz-github
>> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz-packetstorm
> Worse, CISOfy used do digitally sign releases, but https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz.asc
> just shows a 404 to me - while PGP signatures for previous releases are present. This
> is bad, and does not look like they are taking security serious there. :-/
>
> Therefore, I would vote for not updating to Lynis 3.0.6 at the moment. Version 3.0.5
> looks fine to me, at least it has a valid PGP signature. Let's hope the Lynis folks
> get their stuff sorted soon - preferably before releasing version 3.0.7.

I will then redo my lynis patch to update to 3.0.5 and supersede the previous version.

Adolf.

> Thanks, and best regards,
> Peter Müller