From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream Date: Mon, 06 Sep 2021 08:29:30 +0200 Message-ID: <93942f9a-1d79-ff52-921e-75af9490f2a3@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2916113454140811484==" List-Id: --===============2916113454140811484== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Peter, This morning I received a Patchwork notification that my lynis patch is now s= taged, which I understand to mean that it has been merged into next. So if you think that the source file I used is the incorrect one then either = that patch needs to be reverted or I can do another patch to correct it. Regards, Adolf. On 04/09/2021 12:29, Adolf Belka wrote: > Hi Peter, > > I have submitted a patch for updating lynis to 3.0.6 at the end of July. > > https://patchwork.ipfire.org/project/ipfire/patch/20210731190634.2899487-1-= adolf.belka(a)ipfire.org/ > > The source file I used also does not have the files that you listed and has= the md5 sum > > 23cc369984d564e4a8232473b1ace137 > > I got my source file from https://cisofy.com/downloads/lynis/ > > I found that the digital signature link gave a 404 not found response so I = used the sha256 sum to confirm the file I downloaded. > > Looking at the website https://cisofy.com/lynis/#download it has a link to = a download page, which is what I used, and a link to GitHub, which I didn't u= se and these two locations have the 3.0.6 file with differences between them. > > > If you think that the GitHub file should be the one that is used then eithe= r I can redo the patch I previously did as a v2, or you can do a v2 replaceme= nt, which ever you like. > > > A question? When you are updating a package how do you find out the locatio= n that was used for the source file in the past, as the IPFire source directo= ry doesn't indicate where they came from.=C2=A0 In future how can I be sure t= hat I am getting the source file from the correct location that IPFire has us= ed in the past? > > > Regards, > > Adolf. > > On 04/09/2021 11:26, Peter M=C3=BCller wrote: >> Hello Marcel, >> >> trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there already= a lynis-3.0.6.tar.gz file >> on https://source.ipfire.org/ with a different MD5 checksum and file size = than the .tar.gz provided >> by Lynis upstream (hosted on GitHub): >> >>> pmueller(a)people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz >>> -rw-r--r-- 1 mlorenz people 329K Aug=C2=A0 1 11:45 lynis-3.0.6.tar.gz >>> pmueller(a)people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz >>> 23cc369984d564e4a8232473b1ace137=C2=A0 lynis-3.0.6.tar.gz >> Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/refs/= tags/3.0.6.tar.gz) via >> three different Tor circuits, using exit nodes in three different countrie= s, always return a file >> having these characteristics: >> >>> $ ls -lah lynis-3.0.6.tar.gz >>> -rw-r--r-- 1 pmu users 335K=C2=A0 4. Sep 10:56 lynis-3.0.6.tar.gz >>> $ md5sum lynis-3.0.6.tar.gz >>> c5429c532653a762a55a994d565372aa=C2=A0 lynis-3.0.6.tar.gz >> Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137 ga= ins a hit >> (https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb8643= bb0d0a049bcaf64b7ccb4fd272c/detection), >> while a search for c5429c532653a762a55a994d565372aa returns nothing. >> >> Looking at the contents of both .tar.gz's, your version is missing these f= iles: >> >>> ~/.github >>> ~/.gitignore >>> ~/plugins/plugin_pam_phase1 >>> ~/plugins/plugin_systemd_phase1 >>> ~/README.md >>> ~/.travis.yml >> Unfortunately, the maintainer of Lynis does not seem to provide a GPG sign= ature or any other method >> to verify the integrity of a downloaded source code. Therefore: Where did = you fetch the lynis-3.0.6.tar.gz >> file currently present on IPFire's source code server from? GitHub? >> >> Thanks, and best regards, >> Peter M=C3=BCller --===============2916113454140811484==--