<trinity-c8ba54cb-8af1-40ca-baa1-1b87232dcbcf-1502765946385@3c-app-mailcom-lxa14>Hello Alpinists. I thought abuild refused to build packages in case the sha512sum was absent or wrong. So when I noticed a commit that pushed a package with no sha512sum I expected it to fail. https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0 But to my surprise the package was built! It can now be found on the official repository. If the sha512sum is being ignored and any package is being built and distributed... this sounds like security issue. If I made any mistake please clear up. But as I understand right now py-redis was built and distributed without verification of sha512sum. tmpfile. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---
<CAML-UdtpXfCj-zoPbBW+_fCCB_iJ_qKbY4PPf1HT+8rOmO3cmg@mail.gmail.com>
<trinity-c8ba54cb-8af1-40ca-baa1-1b87232dcbcf-1502765946385@3c-app-mailcom-lxa14>
(view parent)
Hi, This is not a problem as the file includes an md5sum, which is still checked. On Mon, Aug 14, 2017 at 9:59 PM Tmp File <tmpfile@mail.com> wrote: > Hello Alpinists. > > I thought abuild refused to build packages in case the sha512sum was > absent or wrong. > So when I noticed a commit that pushed a package with no sha512sum I > expected it to fail. > > https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0 > But to my surprise the package was built! > It can now be found on the official repository. > If the sha512sum is being ignored and any package is being built and > distributed... this sounds like security issue. > > If I made any mistake please clear up. > But as I understand right now py-redis was built and distributed without > verification of sha512sum. > > tmpfile. > > > --- > Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org > Help: alpine-devel+help@lists.alpinelinux.org > --- > > -- -- Kiyoshi Aman
<trinity-a99caa22-54e0-4708-83ba-2abfc5a112a2-1502766246679@3c-app-mailcom-lxa14>
<trinity-c8ba54cb-8af1-40ca-baa1-1b87232dcbcf-1502765946385@3c-app-mailcom-lxa14>
(view parent)
Just after sending the email I realized my mistake. It happens that py-redis *does* have valid sha512sum but the commit was truncated above it (just after md5sum). I'm ashamed of this mistake and for causing trouble over nothing. Sorry Alpinists. > Sent: Monday, August 14, 2017 at 11:59 PM > From: "Tmp File" <tmpfile@mail.com> > To: alpine-dev <alpine-devel@lists.alpinelinux.org> > Subject: [alpine-devel] ABUILD checksums verification > > Hello Alpinists. > > I thought abuild refused to build packages in case the sha512sum was absent or wrong. > So when I noticed a commit that pushed a package with no sha512sum I expected it to fail. > https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0 > But to my surprise the package was built! > It can now be found on the official repository. > If the sha512sum is being ignored and any package is being built and distributed... this sounds like security issue. > > If I made any mistake please clear up. > But as I understand right now py-redis was built and distributed without verification of sha512sum. > > tmpfile. > > > --- > Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org > Help: alpine-devel+help@lists.alpinelinux.org > --- > > --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---