X-Original-To: alpine-devel@lists.alpinelinux.org
Received: from mout.gmx.com (mout.gmx.com [74.208.4.200])
	by lists.alpinelinux.org (Postfix) with ESMTP id 3802B5C44CA
	for <alpine-devel@lists.alpinelinux.org>; Tue, 15 Aug 2017 03:04:07 +0000 (GMT)
Received: from [191.191.253.126] by 3c-app-mailcom-lxa14.server.lan (via
 HTTP); Tue, 15 Aug 2017 05:04:06 +0200
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Message-ID: <trinity-a99caa22-54e0-4708-83ba-2abfc5a112a2-1502766246679@3c-app-mailcom-lxa14>
From: "Tmp File" <tmpfile@mail.com>
To: alpine-dev <alpine-devel@lists.alpinelinux.org>
Subject: Re: [alpine-devel] ABUILD checksums verification
Content-Type: text/plain; charset=UTF-8
Date: Tue, 15 Aug 2017 05:04:06 +0200
Importance: normal
Sensitivity: Normal
In-Reply-To: <trinity-c8ba54cb-8af1-40ca-baa1-1b87232dcbcf-1502765946385@3c-app-mailcom-lxa14>
References: <trinity-c8ba54cb-8af1-40ca-baa1-1b87232dcbcf-1502765946385@3c-app-mailcom-lxa14>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K1:Zg/mJYM/Vbl7HH6ztspabiqef+ZbRsCVhZs1TLavabz
 h920eNLVH7sWKgTGh/IquPf2x8MDS7wmyJPrPDMQf8mE3s5kcX
 Ic67+C2CWWguxSsSQy+7uAkJ22CjIjWFdH/8beTnyypf/OKktB
 xp80VxQZZMGLm53ECz8IWd8rmLBW851cag0eUvrLSS5S2JhIRZ
 S3lXyZe4Myez4BnOuWAx+FxlTlcTNJfRt9o1id33YfF2n7jdRm
 9qWvyr2xPWXuIW7kPf61GU4njskjcYihivJ4BqFuB1nBahlgEo s41vn0=
X-UI-Out-Filterresults: notjunk:1;V01:K0:ghYp9vaerYo=:Ox/fYppqpa/KVgbTNNDxAP
 Mwm/41QawZHESHaE/YlbLFtjFqkRWbNM9X2RArYsY0CFfeeQVJS6/hngxiby1LaH0tlTHGN9+
 AjdPM2rNFjJ8H7OGogaO8IRR91Vm3QjIsLAbOvc9AClLwAMICFBckXIhqOcFOuI+JfJiB62tl
 jkaSrE6bXHxutQuqCJ1bRIbZZKSvEslLVrP62EK8BiIQzplrG4I4KQYhfPxgCXfVlxOUEPzE3
 QfL3C5a2Wo15yI8D9hjSKZG2IHNuxMcgix7nRKiOR5OF0QzEQYELukCkYYvdgYaoO6pxlg050
 TUZnPjW6b0efirFsxIIOrF6ir+ocblhUob0yiIBCKvDTd47vymKxb7eQ+dH7W2jFv1qtgGBlo
 xRZ02OGav29JWJ/wf/VB+pvn66dRxZTPUTdro7W91UKPCq+r6dJ5uPxZiEYHE+TqVL7H0mMMB
 hURjqdo8eUti1WqSm/3AsYPz7kVIy5o/DPMfyu8bRFVSvsJFthFa

Just after sending the email I realized my mistake.
It happens that py-redis *does* have valid sha512sum but the commit was truncated above it (just after md5sum).
I'm ashamed of this mistake and for causing trouble over nothing.
Sorry Alpinists.

> Sent: Monday, August 14, 2017 at 11:59 PM
> From: "Tmp File" <tmpfile@mail.com>
> To: alpine-dev <alpine-devel@lists.alpinelinux.org>
> Subject: [alpine-devel] ABUILD checksums verification
>
> Hello Alpinists.
> 
> I thought abuild refused to build packages in case the sha512sum was absent or wrong.
> So when I noticed a commit that pushed a package with no sha512sum I expected it to fail.
> https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0
> But to my surprise the package was built!
> It can now be found on the official repository.
> If the sha512sum is being ignored and any package is being built and distributed... this sounds like security issue.
> 
> If I made any mistake please clear up.
> But as I understand right now py-redis was built and distributed without verification of sha512sum.
> 
> tmpfile.
> 
> 
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> Help:         alpine-devel+help@lists.alpinelinux.org
> ---
> 
> 


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---