From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: State of affairs at lynis 3.0.6 (was: Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream)
Date: Sat, 23 Oct 2021 18:36:40 +0200 [thread overview]
Message-ID: <91ce6ca7-7cc6-0b14-c25e-71b00643c7e3@ipfire.org> (raw)
In-Reply-To: <7a208c9f-720b-3706-7c70-349c19111599@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 1431 bytes --]
Hello *,
trying to work through volume 5 of 100 of my TODO list, I stumbled across Lynis 3.0.6
once again. Since Packet Storm returned different source code files for every download
attempt, Arne reverted Adolf's patch in https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=55cb5e9324dbec88cac9581930aaee4e3a598a9b.
Meanwhile, things have changed: Packet Storm now seems to return the same file every
time, no matter where the HTTPS request comes from. Checksums of the downloaded file
also match the .tar.gz available at https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz,
while GitHub still offers a different version:
> $ md5sum lynis-3.0.6.tar.gz-*
> 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz-cisofy
> c5429c532653a762a55a994d565372aa lynis-3.0.6.tar.gz-github
> 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz-packetstorm
Worse, CISOfy used do digitally sign releases, but https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz.asc
just shows a 404 to me - while PGP signatures for previous releases are present. This
is bad, and does not look like they are taking security serious there. :-/
Therefore, I would vote for not updating to Lynis 3.0.6 at the moment. Version 3.0.5
looks fine to me, at least it has a valid PGP signature. Let's hope the Lynis folks
get their stuff sorted soon - preferably before releasing version 3.0.7.
Thanks, and best regards,
Peter Müller
next prev parent reply other threads:[~2021-10-23 16:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-04 9:26 lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream Peter Müller
2021-09-04 10:29 ` Adolf Belka
2021-09-06 6:29 ` Adolf Belka
2021-09-06 9:44 ` Michael Tremer
2021-09-06 9:56 ` Adolf Belka
2021-09-07 14:28 ` Michael Tremer
2021-10-23 16:36 ` Peter Müller [this message]
2021-10-23 17:06 ` State of affairs at lynis 3.0.6 (was: Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream) Adolf Belka
2021-10-23 17:31 ` Adolf Belka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=91ce6ca7-7cc6-0b14-c25e-71b00643c7e3@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox