From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject:
 lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream
Date: Sat, 04 Sep 2021 11:26:42 +0200
Message-ID: <7a208c9f-720b-3706-7c70-349c19111599@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5726773547288860215=="
List-Id: <development.lists.ipfire.org>

--===============5726773547288860215==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Marcel,

trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there already a =
lynis-3.0.6.tar.gz file
on https://source.ipfire.org/ with a different MD5 checksum and file size tha=
n the .tar.gz provided
by Lynis upstream (hosted on GitHub):

> pmueller(a)people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz=20
> -rw-r--r-- 1 mlorenz people 329K Aug  1 11:45 lynis-3.0.6.tar.gz
> pmueller(a)people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz
> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz

Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/refs/tag=
s/3.0.6.tar.gz) via
three different Tor circuits, using exit nodes in three different countries, =
always return a file
having these characteristics:

> $ ls -lah lynis-3.0.6.tar.gz
> -rw-r--r-- 1 pmu users 335K  4. Sep 10:56 lynis-3.0.6.tar.gz
> $ md5sum lynis-3.0.6.tar.gz
> c5429c532653a762a55a994d565372aa  lynis-3.0.6.tar.gz

Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137 gains=
 a hit
(https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb8643bb0=
d0a049bcaf64b7ccb4fd272c/detection),
while a search for c5429c532653a762a55a994d565372aa returns nothing.

Looking at the contents of both .tar.gz's, your version is missing these file=
s:

> ~/.github
> ~/.gitignore
> ~/plugins/plugin_pam_phase1
> ~/plugins/plugin_systemd_phase1
> ~/README.md
> ~/.travis.yml

Unfortunately, the maintainer of Lynis does not seem to provide a GPG signatu=
re or any other method
to verify the integrity of a downloaded source code. Therefore: Where did you=
 fetch the lynis-3.0.6.tar.gz
file currently present on IPFire's source code server from? GitHub?

Thanks, and best regards,
Peter M=C3=BCller

--===============5726773547288860215==--