From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream Date: Mon, 06 Sep 2021 10:44:30 +0100 Message-ID: <94ED894D-F085-4290-9437-9674E39C6954@ipfire.org> In-Reply-To: <93942f9a-1d79-ff52-921e-75af9490f2a3@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2556481170235090212==" List-Id: --===============2556481170235090212== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, Arne just reverted this patch: https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D55cb5e9324dbec8= 8cac9581930aaee4e3a598a9b -Michael > On 6 Sep 2021, at 07:29, Adolf Belka wrote: >=20 > Hi Peter, >=20 > This morning I received a Patchwork notification that my lynis patch is now= staged, which I understand to mean that it has been merged into next. >=20 >=20 > So if you think that the source file I used is the incorrect one then eithe= r that patch needs to be reverted or I can do another patch to correct it. >=20 >=20 > Regards, >=20 > Adolf. >=20 >=20 > On 04/09/2021 12:29, Adolf Belka wrote: >> Hi Peter, >>=20 >> I have submitted a patch for updating lynis to 3.0.6 at the end of July. >>=20 >> https://patchwork.ipfire.org/project/ipfire/patch/20210731190634.2899487-1= -adolf.belka(a)ipfire.org/ >>=20 >> The source file I used also does not have the files that you listed and ha= s the md5 sum >>=20 >> 23cc369984d564e4a8232473b1ace137 >>=20 >> I got my source file from https://cisofy.com/downloads/lynis/ >>=20 >> I found that the digital signature link gave a 404 not found response so I= used the sha256 sum to confirm the file I downloaded. >>=20 >> Looking at the website https://cisofy.com/lynis/#download it has a link to= a download page, which is what I used, and a link to GitHub, which I didn't = use and these two locations have the 3.0.6 file with differences between them. >>=20 >>=20 >> If you think that the GitHub file should be the one that is used then eith= er I can redo the patch I previously did as a v2, or you can do a v2 replacem= ent, which ever you like. >>=20 >>=20 >> A question? When you are updating a package how do you find out the locati= on that was used for the source file in the past, as the IPFire source direct= ory doesn't indicate where they came from. In future how can I be sure that = I am getting the source file from the correct location that IPFire has used i= n the past? >>=20 >>=20 >> Regards, >>=20 >> Adolf. >>=20 >> On 04/09/2021 11:26, Peter M=C3=BCller wrote: >>> Hello Marcel, >>>=20 >>> trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there alread= y a lynis-3.0.6.tar.gz file >>> on https://source.ipfire.org/ with a different MD5 checksum and file size= than the .tar.gz provided >>> by Lynis upstream (hosted on GitHub): >>>=20 >>>> pmueller(a)people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz >>>> -rw-r--r-- 1 mlorenz people 329K Aug 1 11:45 lynis-3.0.6.tar.gz >>>> pmueller(a)people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz >>>> 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz >>> Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/refs= /tags/3.0.6.tar.gz) via >>> three different Tor circuits, using exit nodes in three different countri= es, always return a file >>> having these characteristics: >>>=20 >>>> $ ls -lah lynis-3.0.6.tar.gz >>>> -rw-r--r-- 1 pmu users 335K 4. Sep 10:56 lynis-3.0.6.tar.gz >>>> $ md5sum lynis-3.0.6.tar.gz >>>> c5429c532653a762a55a994d565372aa lynis-3.0.6.tar.gz >>> Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137 g= ains a hit >>> (https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb864= 3bb0d0a049bcaf64b7ccb4fd272c/detection), >>> while a search for c5429c532653a762a55a994d565372aa returns nothing. >>>=20 >>> Looking at the contents of both .tar.gz's, your version is missing these = files: >>>=20 >>>> ~/.github >>>> ~/.gitignore >>>> ~/plugins/plugin_pam_phase1 >>>> ~/plugins/plugin_systemd_phase1 >>>> ~/README.md >>>> ~/.travis.yml >>> Unfortunately, the maintainer of Lynis does not seem to provide a GPG sig= nature or any other method >>> to verify the integrity of a downloaded source code. Therefore: Where did= you fetch the lynis-3.0.6.tar.gz >>> file currently present on IPFire's source code server from? GitHub? >>>=20 >>> Thanks, and best regards, >>> Peter M=C3=BCller --===============2556481170235090212==--