For discussion of Alpine Linux development and developer support

2 2

[alpine-devel] ABUILD checksums verification

Tmp File
Details
Message ID
<trinity-c8ba54cb-8af1-40ca-baa1-1b87232dcbcf-1502765946385@3c-app-mailcom-lxa14>
Sender timestamp
1502765946
DKIM signature
missing
Download raw message
Hello Alpinists.

I thought abuild refused to build packages in case the sha512sum was absent or wrong.
So when I noticed a commit that pushed a package with no sha512sum I expected it to fail.
https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0
But to my surprise the package was built!
It can now be found on the official repository.
If the sha512sum is being ignored and any package is being built and distributed... this sounds like security issue.

If I made any mistake please clear up.
But as I understand right now py-redis was built and distributed without verification of sha512sum.

tmpfile.


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Kiyoshi Aman
Details
Message ID
<CAML-UdtpXfCj-zoPbBW+_fCCB_iJ_qKbY4PPf1HT+8rOmO3cmg@mail.gmail.com>
In-Reply-To
<trinity-c8ba54cb-8af1-40ca-baa1-1b87232dcbcf-1502765946385@3c-app-mailcom-lxa14> (view parent)
Sender timestamp
1502766190
DKIM signature
missing
Download raw message
Hi,

This is not a problem as the file includes an md5sum, which is still
checked.

On Mon, Aug 14, 2017 at 9:59 PM Tmp File <tmpfile@mail.com> wrote:

> Hello Alpinists.
>
> I thought abuild refused to build packages in case the sha512sum was
> absent or wrong.
> So when I noticed a commit that pushed a package with no sha512sum I
> expected it to fail.
>
> https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0
> But to my surprise the package was built!
> It can now be found on the official repository.
> If the sha512sum is being ignored and any package is being built and
> distributed... this sounds like security issue.
>
> If I made any mistake please clear up.
> But as I understand right now py-redis was built and distributed without
> verification of sha512sum.
>
> tmpfile.
>
>
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> Help:         alpine-devel+help@lists.alpinelinux.org
> ---
>
> --
-- Kiyoshi Aman
Tmp File
Details
Message ID
<trinity-a99caa22-54e0-4708-83ba-2abfc5a112a2-1502766246679@3c-app-mailcom-lxa14>
In-Reply-To
<trinity-c8ba54cb-8af1-40ca-baa1-1b87232dcbcf-1502765946385@3c-app-mailcom-lxa14> (view parent)
Sender timestamp
1502766246
DKIM signature
missing
Download raw message
Just after sending the email I realized my mistake.
It happens that py-redis *does* have valid sha512sum but the commit was truncated above it (just after md5sum).
I'm ashamed of this mistake and for causing trouble over nothing.
Sorry Alpinists.

> Sent: Monday, August 14, 2017 at 11:59 PM
> From: "Tmp File" <tmpfile@mail.com>
> To: alpine-dev <alpine-devel@lists.alpinelinux.org>
> Subject: [alpine-devel] ABUILD checksums verification
>
> Hello Alpinists.
> 
> I thought abuild refused to build packages in case the sha512sum was absent or wrong.
> So when I noticed a commit that pushed a package with no sha512sum I expected it to fail.
> https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0
> But to my surprise the package was built!
> It can now be found on the official repository.
> If the sha512sum is being ignored and any package is being built and distributed... this sounds like security issue.
> 
> If I made any mistake please clear up.
> But as I understand right now py-redis was built and distributed without verification of sha512sum.
> 
> tmpfile.
> 
> 
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> Help:         alpine-devel+help@lists.alpinelinux.org
> ---
> 
> 


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---