lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream

lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1758 bytes --]

Hello Marcel,

trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there already a lynis-3.0.6.tar.gz file
on https://source.ipfire.org/ with a different MD5 checksum and file size than the .tar.gz provided
by Lynis upstream (hosted on GitHub):

> pmueller(a)people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz 
> -rw-r--r-- 1 mlorenz people 329K Aug  1 11:45 lynis-3.0.6.tar.gz
> pmueller(a)people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz
> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz

Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/refs/tags/3.0.6.tar.gz) via
three different Tor circuits, using exit nodes in three different countries, always return a file
having these characteristics:

> $ ls -lah lynis-3.0.6.tar.gz
> -rw-r--r-- 1 pmu users 335K  4. Sep 10:56 lynis-3.0.6.tar.gz
> $ md5sum lynis-3.0.6.tar.gz
> c5429c532653a762a55a994d565372aa  lynis-3.0.6.tar.gz

Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137 gains a hit
(https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb8643bb0d0a049bcaf64b7ccb4fd272c/detection),
while a search for c5429c532653a762a55a994d565372aa returns nothing.

Looking at the contents of both .tar.gz's, your version is missing these files:

> ~/.github
> ~/.gitignore
> ~/plugins/plugin_pam_phase1
> ~/plugins/plugin_systemd_phase1
> ~/README.md
> ~/.travis.yml

Unfortunately, the maintainer of Lynis does not seem to provide a GPG signature or any other method
to verify the integrity of a downloaded source code. Therefore: Where did you fetch the lynis-3.0.6.tar.gz
file currently present on IPFire's source code server from? GitHub?

Thanks, and best regards,
Peter Müller

Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 3125 bytes --]

Hi Peter,

I have submitted a patch for updating lynis to 3.0.6 at the end of July.

https://patchwork.ipfire.org/project/ipfire/patch/20210731190634.2899487-1-adolf.belka(a)ipfire.org/

The source file I used also does not have the files that you listed and has the md5 sum

23cc369984d564e4a8232473b1ace137

I got my source file from https://cisofy.com/downloads/lynis/

I found that the digital signature link gave a 404 not found response so I used the sha256 sum to confirm the file I downloaded.

Looking at the website https://cisofy.com/lynis/#download it has a link to a download page, which is what I used, and a link to GitHub, which I didn't use and these two locations have the 3.0.6 file with differences between them.


If you think that the GitHub file should be the one that is used then either I can redo the patch I previously did as a v2, or you can do a v2 replacement, which ever you like.


A question? When you are updating a package how do you find out the location that was used for the source file in the past, as the IPFire source directory doesn't indicate where they came from.  In future how can I be sure that I am getting the source file from the correct location that IPFire has used in the past?


Regards,

Adolf.

On 04/09/2021 11:26, Peter Müller wrote:
> Hello Marcel,
>
> trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there already a lynis-3.0.6.tar.gz file
> on https://source.ipfire.org/ with a different MD5 checksum and file size than the .tar.gz provided
> by Lynis upstream (hosted on GitHub):
>
>> pmueller(a)people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz
>> -rw-r--r-- 1 mlorenz people 329K Aug  1 11:45 lynis-3.0.6.tar.gz
>> pmueller(a)people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz
>> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz
> Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/refs/tags/3.0.6.tar.gz) via
> three different Tor circuits, using exit nodes in three different countries, always return a file
> having these characteristics:
>
>> $ ls -lah lynis-3.0.6.tar.gz
>> -rw-r--r-- 1 pmu users 335K  4. Sep 10:56 lynis-3.0.6.tar.gz
>> $ md5sum lynis-3.0.6.tar.gz
>> c5429c532653a762a55a994d565372aa  lynis-3.0.6.tar.gz
> Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137 gains a hit
> (https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb8643bb0d0a049bcaf64b7ccb4fd272c/detection),
> while a search for c5429c532653a762a55a994d565372aa returns nothing.
>
> Looking at the contents of both .tar.gz's, your version is missing these files:
>
>> ~/.github
>> ~/.gitignore
>> ~/plugins/plugin_pam_phase1
>> ~/plugins/plugin_systemd_phase1
>> ~/README.md
>> ~/.travis.yml
> Unfortunately, the maintainer of Lynis does not seem to provide a GPG signature or any other method
> to verify the integrity of a downloaded source code. Therefore: Where did you fetch the lynis-3.0.6.tar.gz
> file currently present on IPFire's source code server from? GitHub?
>
> Thanks, and best regards,
> Peter Müller

Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 3590 bytes --]

Hi Peter,

This morning I received a Patchwork notification that my lynis patch is now staged, which I understand to mean that it has been merged into next.


So if you think that the source file I used is the incorrect one then either that patch needs to be reverted or I can do another patch to correct it.


Regards,

Adolf.


On 04/09/2021 12:29, Adolf Belka wrote:
> Hi Peter,
>
> I have submitted a patch for updating lynis to 3.0.6 at the end of July.
>
> https://patchwork.ipfire.org/project/ipfire/patch/20210731190634.2899487-1-adolf.belka(a)ipfire.org/
>
> The source file I used also does not have the files that you listed and has the md5 sum
>
> 23cc369984d564e4a8232473b1ace137
>
> I got my source file from https://cisofy.com/downloads/lynis/
>
> I found that the digital signature link gave a 404 not found response so I used the sha256 sum to confirm the file I downloaded.
>
> Looking at the website https://cisofy.com/lynis/#download it has a link to a download page, which is what I used, and a link to GitHub, which I didn't use and these two locations have the 3.0.6 file with differences between them.
>
>
> If you think that the GitHub file should be the one that is used then either I can redo the patch I previously did as a v2, or you can do a v2 replacement, which ever you like.
>
>
> A question? When you are updating a package how do you find out the location that was used for the source file in the past, as the IPFire source directory doesn't indicate where they came from.  In future how can I be sure that I am getting the source file from the correct location that IPFire has used in the past?
>
>
> Regards,
>
> Adolf.
>
> On 04/09/2021 11:26, Peter Müller wrote:
>> Hello Marcel,
>>
>> trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there already a lynis-3.0.6.tar.gz file
>> on https://source.ipfire.org/ with a different MD5 checksum and file size than the .tar.gz provided
>> by Lynis upstream (hosted on GitHub):
>>
>>> pmueller(a)people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz
>>> -rw-r--r-- 1 mlorenz people 329K Aug  1 11:45 lynis-3.0.6.tar.gz
>>> pmueller(a)people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz
>>> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz
>> Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/refs/tags/3.0.6.tar.gz) via
>> three different Tor circuits, using exit nodes in three different countries, always return a file
>> having these characteristics:
>>
>>> $ ls -lah lynis-3.0.6.tar.gz
>>> -rw-r--r-- 1 pmu users 335K  4. Sep 10:56 lynis-3.0.6.tar.gz
>>> $ md5sum lynis-3.0.6.tar.gz
>>> c5429c532653a762a55a994d565372aa  lynis-3.0.6.tar.gz
>> Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137 gains a hit
>> (https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb8643bb0d0a049bcaf64b7ccb4fd272c/detection),
>> while a search for c5429c532653a762a55a994d565372aa returns nothing.
>>
>> Looking at the contents of both .tar.gz's, your version is missing these files:
>>
>>> ~/.github
>>> ~/.gitignore
>>> ~/plugins/plugin_pam_phase1
>>> ~/plugins/plugin_systemd_phase1
>>> ~/README.md
>>> ~/.travis.yml
>> Unfortunately, the maintainer of Lynis does not seem to provide a GPG signature or any other method
>> to verify the integrity of a downloaded source code. Therefore: Where did you fetch the lynis-3.0.6.tar.gz
>> file currently present on IPFire's source code server from? GitHub?
>>
>> Thanks, and best regards,
>> Peter Müller

Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3934 bytes --]

Hello,

Arne just reverted this patch:

https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=55cb5e9324dbec88cac9581930aaee4e3a598a9b

-Michael

> On 6 Sep 2021, at 07:29, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> Hi Peter,
> 
> This morning I received a Patchwork notification that my lynis patch is now staged, which I understand to mean that it has been merged into next.
> 
> 
> So if you think that the source file I used is the incorrect one then either that patch needs to be reverted or I can do another patch to correct it.
> 
> 
> Regards,
> 
> Adolf.
> 
> 
> On 04/09/2021 12:29, Adolf Belka wrote:
>> Hi Peter,
>> 
>> I have submitted a patch for updating lynis to 3.0.6 at the end of July.
>> 
>> https://patchwork.ipfire.org/project/ipfire/patch/20210731190634.2899487-1-adolf.belka(a)ipfire.org/
>> 
>> The source file I used also does not have the files that you listed and has the md5 sum
>> 
>> 23cc369984d564e4a8232473b1ace137
>> 
>> I got my source file from https://cisofy.com/downloads/lynis/
>> 
>> I found that the digital signature link gave a 404 not found response so I used the sha256 sum to confirm the file I downloaded.
>> 
>> Looking at the website https://cisofy.com/lynis/#download it has a link to a download page, which is what I used, and a link to GitHub, which I didn't use and these two locations have the 3.0.6 file with differences between them.
>> 
>> 
>> If you think that the GitHub file should be the one that is used then either I can redo the patch I previously did as a v2, or you can do a v2 replacement, which ever you like.
>> 
>> 
>> A question? When you are updating a package how do you find out the location that was used for the source file in the past, as the IPFire source directory doesn't indicate where they came from.  In future how can I be sure that I am getting the source file from the correct location that IPFire has used in the past?
>> 
>> 
>> Regards,
>> 
>> Adolf.
>> 
>> On 04/09/2021 11:26, Peter Müller wrote:
>>> Hello Marcel,
>>> 
>>> trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there already a lynis-3.0.6.tar.gz file
>>> on https://source.ipfire.org/ with a different MD5 checksum and file size than the .tar.gz provided
>>> by Lynis upstream (hosted on GitHub):
>>> 
>>>> pmueller(a)people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz
>>>> -rw-r--r-- 1 mlorenz people 329K Aug  1 11:45 lynis-3.0.6.tar.gz
>>>> pmueller(a)people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz
>>>> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz
>>> Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/refs/tags/3.0.6.tar.gz) via
>>> three different Tor circuits, using exit nodes in three different countries, always return a file
>>> having these characteristics:
>>> 
>>>> $ ls -lah lynis-3.0.6.tar.gz
>>>> -rw-r--r-- 1 pmu users 335K  4. Sep 10:56 lynis-3.0.6.tar.gz
>>>> $ md5sum lynis-3.0.6.tar.gz
>>>> c5429c532653a762a55a994d565372aa  lynis-3.0.6.tar.gz
>>> Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137 gains a hit
>>> (https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb8643bb0d0a049bcaf64b7ccb4fd272c/detection),
>>> while a search for c5429c532653a762a55a994d565372aa returns nothing.
>>> 
>>> Looking at the contents of both .tar.gz's, your version is missing these files:
>>> 
>>>> ~/.github
>>>> ~/.gitignore
>>>> ~/plugins/plugin_pam_phase1
>>>> ~/plugins/plugin_systemd_phase1
>>>> ~/README.md
>>>> ~/.travis.yml
>>> Unfortunately, the maintainer of Lynis does not seem to provide a GPG signature or any other method
>>> to verify the integrity of a downloaded source code. Therefore: Where did you fetch the lynis-3.0.6.tar.gz
>>> file currently present on IPFire's source code server from? GitHub?
>>> 
>>> Thanks, and best regards,
>>> Peter Müller

Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 4198 bytes --]



On 06/09/2021 11:44, Michael Tremer wrote:
> Hello,
> 
> Arne just reverted this patch:
Okay, thanks.

Then I will redo the patch as a v2 version with the correct source file from the lynis github repository.

Regards,

Adolf.

> 
> https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=55cb5e9324dbec88cac9581930aaee4e3a598a9b
> 
> -Michael
> 
>> On 6 Sep 2021, at 07:29, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>
>> Hi Peter,
>>
>> This morning I received a Patchwork notification that my lynis patch is now staged, which I understand to mean that it has been merged into next.
>>
>>
>> So if you think that the source file I used is the incorrect one then either that patch needs to be reverted or I can do another patch to correct it.
>>
>>
>> Regards,
>>
>> Adolf.
>>
>>
>> On 04/09/2021 12:29, Adolf Belka wrote:
>>> Hi Peter,
>>>
>>> I have submitted a patch for updating lynis to 3.0.6 at the end of July.
>>>
>>> https://patchwork.ipfire.org/project/ipfire/patch/20210731190634.2899487-1-adolf.belka(a)ipfire.org/
>>>
>>> The source file I used also does not have the files that you listed and has the md5 sum
>>>
>>> 23cc369984d564e4a8232473b1ace137
>>>
>>> I got my source file from https://cisofy.com/downloads/lynis/
>>>
>>> I found that the digital signature link gave a 404 not found response so I used the sha256 sum to confirm the file I downloaded.
>>>
>>> Looking at the website https://cisofy.com/lynis/#download it has a link to a download page, which is what I used, and a link to GitHub, which I didn't use and these two locations have the 3.0.6 file with differences between them.
>>>
>>>
>>> If you think that the GitHub file should be the one that is used then either I can redo the patch I previously did as a v2, or you can do a v2 replacement, which ever you like.
>>>
>>>
>>> A question? When you are updating a package how do you find out the location that was used for the source file in the past, as the IPFire source directory doesn't indicate where they came from.  In future how can I be sure that I am getting the source file from the correct location that IPFire has used in the past?
>>>
>>>
>>> Regards,
>>>
>>> Adolf.
>>>
>>> On 04/09/2021 11:26, Peter Müller wrote:
>>>> Hello Marcel,
>>>>
>>>> trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there already a lynis-3.0.6.tar.gz file
>>>> on https://source.ipfire.org/ with a different MD5 checksum and file size than the .tar.gz provided
>>>> by Lynis upstream (hosted on GitHub):
>>>>
>>>>> pmueller(a)people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz
>>>>> -rw-r--r-- 1 mlorenz people 329K Aug  1 11:45 lynis-3.0.6.tar.gz
>>>>> pmueller(a)people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz
>>>>> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz
>>>> Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/refs/tags/3.0.6.tar.gz) via
>>>> three different Tor circuits, using exit nodes in three different countries, always return a file
>>>> having these characteristics:
>>>>
>>>>> $ ls -lah lynis-3.0.6.tar.gz
>>>>> -rw-r--r-- 1 pmu users 335K  4. Sep 10:56 lynis-3.0.6.tar.gz
>>>>> $ md5sum lynis-3.0.6.tar.gz
>>>>> c5429c532653a762a55a994d565372aa  lynis-3.0.6.tar.gz
>>>> Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137 gains a hit
>>>> (https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb8643bb0d0a049bcaf64b7ccb4fd272c/detection),
>>>> while a search for c5429c532653a762a55a994d565372aa returns nothing.
>>>>
>>>> Looking at the contents of both .tar.gz's, your version is missing these files:
>>>>
>>>>> ~/.github
>>>>> ~/.gitignore
>>>>> ~/plugins/plugin_pam_phase1
>>>>> ~/plugins/plugin_systemd_phase1
>>>>> ~/README.md
>>>>> ~/.travis.yml
>>>> Unfortunately, the maintainer of Lynis does not seem to provide a GPG signature or any other method
>>>> to verify the integrity of a downloaded source code. Therefore: Where did you fetch the lynis-3.0.6.tar.gz
>>>> file currently present on IPFire's source code server from? GitHub?
>>>>
>>>> Thanks, and best regards,
>>>> Peter Müller
> 

Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 4407 bytes --]

Thanks :)

> On 6 Sep 2021, at 10:56, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> 
> 
> On 06/09/2021 11:44, Michael Tremer wrote:
>> Hello,
>> Arne just reverted this patch:
> Okay, thanks.
> 
> Then I will redo the patch as a v2 version with the correct source file from the lynis github repository.
> 
> Regards,
> 
> Adolf.
> 
>> https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=55cb5e9324dbec88cac9581930aaee4e3a598a9b
>> -Michael
>>> On 6 Sep 2021, at 07:29, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>> 
>>> Hi Peter,
>>> 
>>> This morning I received a Patchwork notification that my lynis patch is now staged, which I understand to mean that it has been merged into next.
>>> 
>>> 
>>> So if you think that the source file I used is the incorrect one then either that patch needs to be reverted or I can do another patch to correct it.
>>> 
>>> 
>>> Regards,
>>> 
>>> Adolf.
>>> 
>>> 
>>> On 04/09/2021 12:29, Adolf Belka wrote:
>>>> Hi Peter,
>>>> 
>>>> I have submitted a patch for updating lynis to 3.0.6 at the end of July.
>>>> 
>>>> https://patchwork.ipfire.org/project/ipfire/patch/20210731190634.2899487-1-adolf.belka(a)ipfire.org/
>>>> 
>>>> The source file I used also does not have the files that you listed and has the md5 sum
>>>> 
>>>> 23cc369984d564e4a8232473b1ace137
>>>> 
>>>> I got my source file from https://cisofy.com/downloads/lynis/
>>>> 
>>>> I found that the digital signature link gave a 404 not found response so I used the sha256 sum to confirm the file I downloaded.
>>>> 
>>>> Looking at the website https://cisofy.com/lynis/#download it has a link to a download page, which is what I used, and a link to GitHub, which I didn't use and these two locations have the 3.0.6 file with differences between them.
>>>> 
>>>> 
>>>> If you think that the GitHub file should be the one that is used then either I can redo the patch I previously did as a v2, or you can do a v2 replacement, which ever you like.
>>>> 
>>>> 
>>>> A question? When you are updating a package how do you find out the location that was used for the source file in the past, as the IPFire source directory doesn't indicate where they came from.  In future how can I be sure that I am getting the source file from the correct location that IPFire has used in the past?
>>>> 
>>>> 
>>>> Regards,
>>>> 
>>>> Adolf.
>>>> 
>>>> On 04/09/2021 11:26, Peter Müller wrote:
>>>>> Hello Marcel,
>>>>> 
>>>>> trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there already a lynis-3.0.6.tar.gz file
>>>>> on https://source.ipfire.org/ with a different MD5 checksum and file size than the .tar.gz provided
>>>>> by Lynis upstream (hosted on GitHub):
>>>>> 
>>>>>> pmueller(a)people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz
>>>>>> -rw-r--r-- 1 mlorenz people 329K Aug  1 11:45 lynis-3.0.6.tar.gz
>>>>>> pmueller(a)people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz
>>>>>> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz
>>>>> Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/refs/tags/3.0.6.tar.gz) via
>>>>> three different Tor circuits, using exit nodes in three different countries, always return a file
>>>>> having these characteristics:
>>>>> 
>>>>>> $ ls -lah lynis-3.0.6.tar.gz
>>>>>> -rw-r--r-- 1 pmu users 335K  4. Sep 10:56 lynis-3.0.6.tar.gz
>>>>>> $ md5sum lynis-3.0.6.tar.gz
>>>>>> c5429c532653a762a55a994d565372aa  lynis-3.0.6.tar.gz
>>>>> Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137 gains a hit
>>>>> (https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb8643bb0d0a049bcaf64b7ccb4fd272c/detection),
>>>>> while a search for c5429c532653a762a55a994d565372aa returns nothing.
>>>>> 
>>>>> Looking at the contents of both .tar.gz's, your version is missing these files:
>>>>> 
>>>>>> ~/.github
>>>>>> ~/.gitignore
>>>>>> ~/plugins/plugin_pam_phase1
>>>>>> ~/plugins/plugin_systemd_phase1
>>>>>> ~/README.md
>>>>>> ~/.travis.yml
>>>>> Unfortunately, the maintainer of Lynis does not seem to provide a GPG signature or any other method
>>>>> to verify the integrity of a downloaded source code. Therefore: Where did you fetch the lynis-3.0.6.tar.gz
>>>>> file currently present on IPFire's source code server from? GitHub?
>>>>> 
>>>>> Thanks, and best regards,
>>>>> Peter Müller

State of affairs at lynis 3.0.6 (was: Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream)

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1431 bytes --]

Hello *,

trying to work through volume 5 of 100 of my TODO list, I stumbled across Lynis 3.0.6
once again. Since Packet Storm returned different source code files for every download
attempt, Arne reverted Adolf's patch in https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=55cb5e9324dbec88cac9581930aaee4e3a598a9b.

Meanwhile, things have changed: Packet Storm now seems to return the same file every
time, no matter where the HTTPS request comes from. Checksums of the downloaded file
also match the .tar.gz available at https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz,
while GitHub still offers a different version:

> $ md5sum lynis-3.0.6.tar.gz-*
> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz-cisofy
> c5429c532653a762a55a994d565372aa  lynis-3.0.6.tar.gz-github
> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz-packetstorm

Worse, CISOfy used do digitally sign releases, but https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz.asc
just shows a 404 to me - while PGP signatures for previous releases are present. This
is bad, and does not look like they are taking security serious there. :-/

Therefore, I would vote for not updating to Lynis 3.0.6 at the moment. Version 3.0.5
looks fine to me, at least it has a valid PGP signature. Let's hope the Lynis folks
get their stuff sorted soon - preferably before releasing version 3.0.7.

Thanks, and best regards,
Peter Müller

Re: State of affairs at lynis 3.0.6 (was: Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream)

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 1625 bytes --]

Hi Peter,

On 23/10/2021 18:36, Peter Müller wrote:
> Hello *,
>
> trying to work through volume 5 of 100 of my TODO list, I stumbled across Lynis 3.0.6
> once again. Since Packet Storm returned different source code files for every download
> attempt, Arne reverted Adolf's patch in https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=55cb5e9324dbec88cac9581930aaee4e3a598a9b.
>
> Meanwhile, things have changed: Packet Storm now seems to return the same file every
> time, no matter where the HTTPS request comes from. Checksums of the downloaded file
> also match the .tar.gz available at https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz,
> while GitHub still offers a different version:
>
>> $ md5sum lynis-3.0.6.tar.gz-*
>> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz-cisofy
>> c5429c532653a762a55a994d565372aa  lynis-3.0.6.tar.gz-github
>> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz-packetstorm
> Worse, CISOfy used do digitally sign releases, but https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz.asc
> just shows a 404 to me - while PGP signatures for previous releases are present. This
> is bad, and does not look like they are taking security serious there. :-/
>
> Therefore, I would vote for not updating to Lynis 3.0.6 at the moment. Version 3.0.5
> looks fine to me, at least it has a valid PGP signature. Let's hope the Lynis folks
> get their stuff sorted soon - preferably before releasing version 3.0.7.

I will then redo my lynis patch to update to 3.0.5 and supersede the previous version.

Adolf.

> Thanks, and best regards,
> Peter Müller

Re: State of affairs at lynis 3.0.6 (was: Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream)

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 2554 bytes --]

Hi All,

To get the lynis-3.0.5 signature the only way I found to get it was to select the 3.0.6 signature button which gives the 404 error and then edit the url to 3.0.5

Using that 3.0.5 signature with the lynis-3.0.5 file from github gives a Bad Signature result.

So then I had to download 3.0.5 from the website, again by editing the url to 3.0.5 then I was able to get a good signature result.

So even with 3.0.5 there is a mismatch between the https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz on the website and the https://github.com/CISOfy/lynis/releases/tag/3.0.5 version in github.

How do we know that the version that is in the https://downloads.cisofy.com/lynis/ website is the correct version. Do we just have to assume that because the other version is in github it *must* be the wrong one!!

Regards,

Adolf.


On 23/10/2021 19:06, Adolf Belka wrote:
> Hi Peter,
>
> On 23/10/2021 18:36, Peter Müller wrote:
>> Hello *,
>>
>> trying to work through volume 5 of 100 of my TODO list, I stumbled across Lynis 3.0.6
>> once again. Since Packet Storm returned different source code files for every download
>> attempt, Arne reverted Adolf's patch in https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=55cb5e9324dbec88cac9581930aaee4e3a598a9b.
>>
>> Meanwhile, things have changed: Packet Storm now seems to return the same file every
>> time, no matter where the HTTPS request comes from. Checksums of the downloaded file
>> also match the .tar.gz available at https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz,
>> while GitHub still offers a different version:
>>
>>> $ md5sum lynis-3.0.6.tar.gz-*
>>> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz-cisofy
>>> c5429c532653a762a55a994d565372aa  lynis-3.0.6.tar.gz-github
>>> 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz-packetstorm
>> Worse, CISOfy used do digitally sign releases, but https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz.asc
>> just shows a 404 to me - while PGP signatures for previous releases are present. This
>> is bad, and does not look like they are taking security serious there. :-/
>>
>> Therefore, I would vote for not updating to Lynis 3.0.6 at the moment. Version 3.0.5
>> looks fine to me, at least it has a valid PGP signature. Let's hope the Lynis folks
>> get their stuff sorted soon - preferably before releasing version 3.0.7.
>
> I will then redo my lynis patch to update to 3.0.5 and supersede the previous version.
>
> Adolf.
>
>> Thanks, and best regards,
>> Peter Müller