Mail archive
alpine-devel

Re: [alpine-devel] ABUILD checksums verification

From: Kiyoshi Aman <aphrael_at_alpinelinux.org>
Date: Tue, 15 Aug 2017 03:03:10 +0000

Hi,

This is not a problem as the file includes an md5sum, which is still
checked.

On Mon, Aug 14, 2017 at 9:59 PM Tmp File <tmpfile_at_mail.com> wrote:

> Hello Alpinists.
>
> I thought abuild refused to build packages in case the sha512sum was
> absent or wrong.
> So when I noticed a commit that pushed a package with no sha512sum I
> expected it to fail.
>
> https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0
> But to my surprise the package was built!
> It can now be found on the official repository.
> If the sha512sum is being ignored and any package is being built and
> distributed... this sounds like security issue.
>
> If I made any mistake please clear up.
> But as I understand right now py-redis was built and distributed without
> verification of sha512sum.
>
> tmpfile.
>
>
> ---
> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-devel+help_at_lists.alpinelinux.org
> ---
>
> --
-- Kiyoshi Aman



---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Tue Aug 15 2017 - 03:03:10 GMT