From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream Date: Tue, 07 Sep 2021 15:28:21 +0100 Message-ID: <9FB9FE5C-7C97-496E-B554-FFDD1CF02C44@ipfire.org> In-Reply-To: <577f64d8-2dd6-e1f4-eb2e-c7306a41dcc0@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3638392060002472996==" List-Id: --===============3638392060002472996== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Thanks :) > On 6 Sep 2021, at 10:56, Adolf Belka wrote: >=20 >=20 >=20 > On 06/09/2021 11:44, Michael Tremer wrote: >> Hello, >> Arne just reverted this patch: > Okay, thanks. >=20 > Then I will redo the patch as a v2 version with the correct source file fro= m the lynis github repository. >=20 > Regards, >=20 > Adolf. >=20 >> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D55cb5e9324db= ec88cac9581930aaee4e3a598a9b >> -Michael >>> On 6 Sep 2021, at 07:29, Adolf Belka wrote: >>>=20 >>> Hi Peter, >>>=20 >>> This morning I received a Patchwork notification that my lynis patch is n= ow staged, which I understand to mean that it has been merged into next. >>>=20 >>>=20 >>> So if you think that the source file I used is the incorrect one then eit= her that patch needs to be reverted or I can do another patch to correct it. >>>=20 >>>=20 >>> Regards, >>>=20 >>> Adolf. >>>=20 >>>=20 >>> On 04/09/2021 12:29, Adolf Belka wrote: >>>> Hi Peter, >>>>=20 >>>> I have submitted a patch for updating lynis to 3.0.6 at the end of July. >>>>=20 >>>> https://patchwork.ipfire.org/project/ipfire/patch/20210731190634.2899487= -1-adolf.belka(a)ipfire.org/ >>>>=20 >>>> The source file I used also does not have the files that you listed and = has the md5 sum >>>>=20 >>>> 23cc369984d564e4a8232473b1ace137 >>>>=20 >>>> I got my source file from https://cisofy.com/downloads/lynis/ >>>>=20 >>>> I found that the digital signature link gave a 404 not found response so= I used the sha256 sum to confirm the file I downloaded. >>>>=20 >>>> Looking at the website https://cisofy.com/lynis/#download it has a link = to a download page, which is what I used, and a link to GitHub, which I didn'= t use and these two locations have the 3.0.6 file with differences between th= em. >>>>=20 >>>>=20 >>>> If you think that the GitHub file should be the one that is used then ei= ther I can redo the patch I previously did as a v2, or you can do a v2 replac= ement, which ever you like. >>>>=20 >>>>=20 >>>> A question? When you are updating a package how do you find out the loca= tion that was used for the source file in the past, as the IPFire source dire= ctory doesn't indicate where they came from. In future how can I be sure tha= t I am getting the source file from the correct location that IPFire has used= in the past? >>>>=20 >>>>=20 >>>> Regards, >>>>=20 >>>> Adolf. >>>>=20 >>>> On 04/09/2021 11:26, Peter M=C3=BCller wrote: >>>>> Hello Marcel, >>>>>=20 >>>>> trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there alre= ady a lynis-3.0.6.tar.gz file >>>>> on https://source.ipfire.org/ with a different MD5 checksum and file si= ze than the .tar.gz provided >>>>> by Lynis upstream (hosted on GitHub): >>>>>=20 >>>>>> pmueller(a)people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz >>>>>> -rw-r--r-- 1 mlorenz people 329K Aug 1 11:45 lynis-3.0.6.tar.gz >>>>>> pmueller(a)people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz >>>>>> 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz >>>>> Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/re= fs/tags/3.0.6.tar.gz) via >>>>> three different Tor circuits, using exit nodes in three different count= ries, always return a file >>>>> having these characteristics: >>>>>=20 >>>>>> $ ls -lah lynis-3.0.6.tar.gz >>>>>> -rw-r--r-- 1 pmu users 335K 4. Sep 10:56 lynis-3.0.6.tar.gz >>>>>> $ md5sum lynis-3.0.6.tar.gz >>>>>> c5429c532653a762a55a994d565372aa lynis-3.0.6.tar.gz >>>>> Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137= gains a hit >>>>> (https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb8= 643bb0d0a049bcaf64b7ccb4fd272c/detection), >>>>> while a search for c5429c532653a762a55a994d565372aa returns nothing. >>>>>=20 >>>>> Looking at the contents of both .tar.gz's, your version is missing thes= e files: >>>>>=20 >>>>>> ~/.github >>>>>> ~/.gitignore >>>>>> ~/plugins/plugin_pam_phase1 >>>>>> ~/plugins/plugin_systemd_phase1 >>>>>> ~/README.md >>>>>> ~/.travis.yml >>>>> Unfortunately, the maintainer of Lynis does not seem to provide a GPG s= ignature or any other method >>>>> to verify the integrity of a downloaded source code. Therefore: Where d= id you fetch the lynis-3.0.6.tar.gz >>>>> file currently present on IPFire's source code server from? GitHub? >>>>>=20 >>>>> Thanks, and best regards, >>>>> Peter M=C3=BCller --===============3638392060002472996==--