Hi Peter,
This morning I received a Patchwork notification that my lynis patch is now staged, which I understand to mean that it has been merged into next.
So if you think that the source file I used is the incorrect one then either that patch needs to be reverted or I can do another patch to correct it.
Regards,
Adolf.
On 04/09/2021 12:29, Adolf Belka wrote:
Hi Peter,
I have submitted a patch for updating lynis to 3.0.6 at the end of July.
https://patchwork.ipfire.org/project/ipfire/patch/20210731190634.2899487-1-a...
The source file I used also does not have the files that you listed and has the md5 sum
23cc369984d564e4a8232473b1ace137
I got my source file from https://cisofy.com/downloads/lynis/
I found that the digital signature link gave a 404 not found response so I used the sha256 sum to confirm the file I downloaded.
Looking at the website https://cisofy.com/lynis/#download it has a link to a download page, which is what I used, and a link to GitHub, which I didn't use and these two locations have the 3.0.6 file with differences between them.
If you think that the GitHub file should be the one that is used then either I can redo the patch I previously did as a v2, or you can do a v2 replacement, which ever you like.
A question? When you are updating a package how do you find out the location that was used for the source file in the past, as the IPFire source directory doesn't indicate where they came from. In future how can I be sure that I am getting the source file from the correct location that IPFire has used in the past?
Regards,
Adolf.
On 04/09/2021 11:26, Peter Müller wrote:
Hello Marcel,
trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there already a lynis-3.0.6.tar.gz file on https://source.ipfire.org/ with a different MD5 checksum and file size than the .tar.gz provided by Lynis upstream (hosted on GitHub):
pmueller@people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz -rw-r--r-- 1 mlorenz people 329K Aug 1 11:45 lynis-3.0.6.tar.gz pmueller@people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz
Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/refs/tags/3.0.6.tar.gz) via three different Tor circuits, using exit nodes in three different countries, always return a file having these characteristics:
$ ls -lah lynis-3.0.6.tar.gz -rw-r--r-- 1 pmu users 335K 4. Sep 10:56 lynis-3.0.6.tar.gz $ md5sum lynis-3.0.6.tar.gz c5429c532653a762a55a994d565372aa lynis-3.0.6.tar.gz
Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137 gains a hit (https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb8643bb0...), while a search for c5429c532653a762a55a994d565372aa returns nothing.
Looking at the contents of both .tar.gz's, your version is missing these files:
~/.github ~/.gitignore ~/plugins/plugin_pam_phase1 ~/plugins/plugin_systemd_phase1 ~/README.md ~/.travis.yml
Unfortunately, the maintainer of Lynis does not seem to provide a GPG signature or any other method to verify the integrity of a downloaded source code. Therefore: Where did you fetch the lynis-3.0.6.tar.gz file currently present on IPFire's source code server from? GitHub?
Thanks, and best regards, Peter Müller