From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream Date: Mon, 06 Sep 2021 11:56:11 +0200 Message-ID: <577f64d8-2dd6-e1f4-eb2e-c7306a41dcc0@ipfire.org> In-Reply-To: <94ED894D-F085-4290-9437-9674E39C6954@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5918570953362574641==" List-Id: --===============5918570953362574641== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 06/09/2021 11:44, Michael Tremer wrote: > Hello, >=20 > Arne just reverted this patch: Okay, thanks. Then I will redo the patch as a v2 version with the correct source file from = the lynis github repository. Regards, Adolf. >=20 > https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D55cb5e9324dbe= c88cac9581930aaee4e3a598a9b >=20 > -Michael >=20 >> On 6 Sep 2021, at 07:29, Adolf Belka wrote: >> >> Hi Peter, >> >> This morning I received a Patchwork notification that my lynis patch is no= w staged, which I understand to mean that it has been merged into next. >> >> >> So if you think that the source file I used is the incorrect one then eith= er that patch needs to be reverted or I can do another patch to correct it. >> >> >> Regards, >> >> Adolf. >> >> >> On 04/09/2021 12:29, Adolf Belka wrote: >>> Hi Peter, >>> >>> I have submitted a patch for updating lynis to 3.0.6 at the end of July. >>> >>> https://patchwork.ipfire.org/project/ipfire/patch/20210731190634.2899487-= 1-adolf.belka(a)ipfire.org/ >>> >>> The source file I used also does not have the files that you listed and h= as the md5 sum >>> >>> 23cc369984d564e4a8232473b1ace137 >>> >>> I got my source file from https://cisofy.com/downloads/lynis/ >>> >>> I found that the digital signature link gave a 404 not found response so = I used the sha256 sum to confirm the file I downloaded. >>> >>> Looking at the website https://cisofy.com/lynis/#download it has a link t= o a download page, which is what I used, and a link to GitHub, which I didn't= use and these two locations have the 3.0.6 file with differences between the= m. >>> >>> >>> If you think that the GitHub file should be the one that is used then eit= her I can redo the patch I previously did as a v2, or you can do a v2 replace= ment, which ever you like. >>> >>> >>> A question? When you are updating a package how do you find out the locat= ion that was used for the source file in the past, as the IPFire source direc= tory doesn't indicate where they came from. In future how can I be sure that= I am getting the source file from the correct location that IPFire has used = in the past? >>> >>> >>> Regards, >>> >>> Adolf. >>> >>> On 04/09/2021 11:26, Peter M=C3=BCller wrote: >>>> Hello Marcel, >>>> >>>> trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there alrea= dy a lynis-3.0.6.tar.gz file >>>> on https://source.ipfire.org/ with a different MD5 checksum and file siz= e than the .tar.gz provided >>>> by Lynis upstream (hosted on GitHub): >>>> >>>>> pmueller(a)people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz >>>>> -rw-r--r-- 1 mlorenz people 329K Aug 1 11:45 lynis-3.0.6.tar.gz >>>>> pmueller(a)people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz >>>>> 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz >>>> Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/ref= s/tags/3.0.6.tar.gz) via >>>> three different Tor circuits, using exit nodes in three different countr= ies, always return a file >>>> having these characteristics: >>>> >>>>> $ ls -lah lynis-3.0.6.tar.gz >>>>> -rw-r--r-- 1 pmu users 335K 4. Sep 10:56 lynis-3.0.6.tar.gz >>>>> $ md5sum lynis-3.0.6.tar.gz >>>>> c5429c532653a762a55a994d565372aa lynis-3.0.6.tar.gz >>>> Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137 = gains a hit >>>> (https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb86= 43bb0d0a049bcaf64b7ccb4fd272c/detection), >>>> while a search for c5429c532653a762a55a994d565372aa returns nothing. >>>> >>>> Looking at the contents of both .tar.gz's, your version is missing these= files: >>>> >>>>> ~/.github >>>>> ~/.gitignore >>>>> ~/plugins/plugin_pam_phase1 >>>>> ~/plugins/plugin_systemd_phase1 >>>>> ~/README.md >>>>> ~/.travis.yml >>>> Unfortunately, the maintainer of Lynis does not seem to provide a GPG si= gnature or any other method >>>> to verify the integrity of a downloaded source code. Therefore: Where di= d you fetch the lynis-3.0.6.tar.gz >>>> file currently present on IPFire's source code server from? GitHub? >>>> >>>> Thanks, and best regards, >>>> Peter M=C3=BCller >=20 --===============5918570953362574641==--