From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: lynis-3.0.6.tar.gz file on source.ipfire.org differs from Lynis upstream Date: Sat, 04 Sep 2021 12:29:46 +0200 Message-ID: In-Reply-To: <7a208c9f-720b-3706-7c70-349c19111599@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3349217220393129601==" List-Id: --===============3349217220393129601== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Peter, I have submitted a patch for updating lynis to 3.0.6 at the end of July. https://patchwork.ipfire.org/project/ipfire/patch/20210731190634.2899487-1-ad= olf.belka(a)ipfire.org/ The source file I used also does not have the files that you listed and has t= he md5 sum 23cc369984d564e4a8232473b1ace137 I got my source file from https://cisofy.com/downloads/lynis/ I found that the digital signature link gave a 404 not found response so I us= ed the sha256 sum to confirm the file I downloaded. Looking at the website https://cisofy.com/lynis/#download it has a link to a = download page, which is what I used, and a link to GitHub, which I didn't use= and these two locations have the 3.0.6 file with differences between them. If you think that the GitHub file should be the one that is used then either = I can redo the patch I previously did as a v2, or you can do a v2 replacement= , which ever you like. A question? When you are updating a package how do you find out the location = that was used for the source file in the past, as the IPFire source directory= doesn't indicate where they came from.=C2=A0 In future how can I be sure tha= t I am getting the source file from the correct location that IPFire has used= in the past? Regards, Adolf. On 04/09/2021 11:26, Peter M=C3=BCller wrote: > Hello Marcel, > > trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there already = a lynis-3.0.6.tar.gz file > on https://source.ipfire.org/ with a different MD5 checksum and file size t= han the .tar.gz provided > by Lynis upstream (hosted on GitHub): > >> pmueller(a)people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz >> -rw-r--r-- 1 mlorenz people 329K Aug 1 11:45 lynis-3.0.6.tar.gz >> pmueller(a)people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz >> 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz > Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/refs/t= ags/3.0.6.tar.gz) via > three different Tor circuits, using exit nodes in three different countries= , always return a file > having these characteristics: > >> $ ls -lah lynis-3.0.6.tar.gz >> -rw-r--r-- 1 pmu users 335K 4. Sep 10:56 lynis-3.0.6.tar.gz >> $ md5sum lynis-3.0.6.tar.gz >> c5429c532653a762a55a994d565372aa lynis-3.0.6.tar.gz > Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137 gai= ns a hit > (https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb8643b= b0d0a049bcaf64b7ccb4fd272c/detection), > while a search for c5429c532653a762a55a994d565372aa returns nothing. > > Looking at the contents of both .tar.gz's, your version is missing these fi= les: > >> ~/.github >> ~/.gitignore >> ~/plugins/plugin_pam_phase1 >> ~/plugins/plugin_systemd_phase1 >> ~/README.md >> ~/.travis.yml > Unfortunately, the maintainer of Lynis does not seem to provide a GPG signa= ture or any other method > to verify the integrity of a downloaded source code. Therefore: Where did y= ou fetch the lynis-3.0.6.tar.gz > file currently present on IPFire's source code server from? GitHub? > > Thanks, and best regards, > Peter M=C3=BCller --===============3349217220393129601==--