X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-pg0-f48.google.com (mail-pg0-f48.google.com [74.125.83.48]) by lists.alpinelinux.org (Postfix) with ESMTP id 7126A5C44CA for ; Tue, 15 Aug 2017 03:03:21 +0000 (GMT) Received: by mail-pg0-f48.google.com with SMTP id v189so59034611pgd.2 for ; Mon, 14 Aug 2017 20:03:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=RO2PS5vbBMuzG48YmOVAC/MH9QqYe5myFpWjZ9ZETaw=; b=uev2HV/YdC81bpQIXJqogkDxqrVD9IGFEjWmmaqzLFFS3SLhr9D+O5K8vGkYlKa8Vx ZfVrZm2nF9Y8C1B0i8d8lcq9QPJz/JpPJaGSSYkCLddGtx2vafASmqFcYFMT3m5VeOcy Wme94lKL5zSxCP93IrfP5Wlp1LLtmrXQ4vYWOcPzeHkUSeJK1VyDVds8hPa9b/cX+nti Nid7o2OzyFzBTUIz0pe82rh7nu0oQpaPe6xZ6VDEsQMKdY9kBlQAx0dQuVr4hkhAsWy/ u6Vh1ScH71pB6xEBslk15p8mFSyrWxP49YGuTjHOk9lDfodskfCd361D3VTcqD1vFpPD LSfA== X-Gm-Message-State: AHYfb5gAu83hym9bbCr/t7nm6MDBCouQHFvliKd9OK6V2MgQlgLRT/IO DnFC0eVtLYClnLfn+owMwEdbQ+oYcQ== X-Received: by 10.84.160.226 with SMTP id v31mr29090470plg.91.1502766200781; Mon, 14 Aug 2017 20:03:20 -0700 (PDT) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 References: In-Reply-To: From: Kiyoshi Aman Date: Tue, 15 Aug 2017 03:03:10 +0000 Message-ID: Subject: Re: [alpine-devel] ABUILD checksums verification To: Tmp File , alpine-dev Content-Type: multipart/alternative; boundary="94eb2c14847e9403700556c2052b" --94eb2c14847e9403700556c2052b Content-Type: text/plain; charset="UTF-8" Hi, This is not a problem as the file includes an md5sum, which is still checked. On Mon, Aug 14, 2017 at 9:59 PM Tmp File wrote: > Hello Alpinists. > > I thought abuild refused to build packages in case the sha512sum was > absent or wrong. > So when I noticed a commit that pushed a package with no sha512sum I > expected it to fail. > > https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0 > But to my surprise the package was built! > It can now be found on the official repository. > If the sha512sum is being ignored and any package is being built and > distributed... this sounds like security issue. > > If I made any mistake please clear up. > But as I understand right now py-redis was built and distributed without > verification of sha512sum. > > tmpfile. > > > --- > Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org > Help: alpine-devel+help@lists.alpinelinux.org > --- > > -- -- Kiyoshi Aman --94eb2c14847e9403700556c2052b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi,

This is not a problem as the file i= ncludes an md5sum, which is still checked.

On Mon, Aug 14, 2017 at 9:59 PM Tmp File <tmpfile@mail.com> wrote:

<= blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px= #ccc solid;padding-left:1ex">Hello Alpinists.

I thought abuild refused to build packages in case the sha512sum was absent= or wrong.
So when I noticed a commit that pushed a package with no sha512sum I expect= ed it to fail.
https://github.= com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0<= br> But to my surprise the package was built!
It can now be found on the official repository.
If the sha512sum is being ignored and any package is being built and distri= buted... this sounds like security issue.

If I made any mistake please clear up.
But as I understand right now py-redis was built and distributed without ve= rification of sha512sum.

tmpfile.

---
Unsubscribe:=C2=A0 alpine-devel+unsubscribe@lists.alpinelinux.or= g
Help:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0alpine-devel+help@lists.alpineli= nux.org
---

-- Kiyoshi Aman

--94eb2c14847e9403700556c2052b-- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---