Mail archive
alpine-devel

Re: [alpine-devel] ABUILD checksums verification

From: Tmp File <tmpfile_at_mail.com>
Date: Tue, 15 Aug 2017 05:04:06 +0200

Just after sending the email I realized my mistake.
It happens that py-redis *does* have valid sha512sum but the commit was truncated above it (just after md5sum).
I'm ashamed of this mistake and for causing trouble over nothing.
Sorry Alpinists.

> Sent: Monday, August 14, 2017 at 11:59 PM
> From: "Tmp File" <tmpfile_at_mail.com>
> To: alpine-dev <alpine-devel_at_lists.alpinelinux.org>
> Subject: [alpine-devel] ABUILD checksums verification
>
> Hello Alpinists.
>
> I thought abuild refused to build packages in case the sha512sum was absent or wrong.
> So when I noticed a commit that pushed a package with no sha512sum I expected it to fail.
> https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0
> But to my surprise the package was built!
> It can now be found on the official repository.
> If the sha512sum is being ignored and any package is being built and distributed... this sounds like security issue.
>
> If I made any mistake please clear up.
> But as I understand right now py-redis was built and distributed without verification of sha512sum.
>
> tmpfile.
>
>
> ---
> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-devel+help_at_lists.alpinelinux.org
> ---
>
>


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Tue Aug 15 2017 - 05:04:06 GMT