Mail archive
alpine-devel

[alpine-devel] ABUILD checksums verification

From: Tmp File <tmpfile_at_mail.com>
Date: Tue, 15 Aug 2017 04:59:06 +0200

Hello Alpinists.

I thought abuild refused to build packages in case the sha512sum was absent or wrong.
So when I noticed a commit that pushed a package with no sha512sum I expected it to fail.
https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0
But to my surprise the package was built!
It can now be found on the official repository.
If the sha512sum is being ignored and any package is being built and distributed... this sounds like security issue.

If I made any mistake please clear up.
But as I understand right now py-redis was built and distributed without verification of sha512sum.

tmpfile.


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Tue Aug 15 2017 - 04:59:06 GMT