X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mout.gmx.com (mout.gmx.com [74.208.4.200]) by lists.alpinelinux.org (Postfix) with ESMTP id 7BDD65C4C64 for ; Tue, 15 Aug 2017 02:59:07 +0000 (GMT) Received: from [191.191.253.126] by 3c-app-mailcom-lxa14.server.lan (via HTTP); Tue, 15 Aug 2017 04:59:06 +0200 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Message-ID: From: "Tmp File" To: alpine-dev Subject: [alpine-devel] ABUILD checksums verification Content-Type: text/plain; charset=UTF-8 Date: Tue, 15 Aug 2017 04:59:06 +0200 Importance: normal Sensitivity: Normal X-Priority: 3 X-Provags-ID: V03:K1:J27Lf6J4bgeQMq/XDf3kpOZdFjROuSlEOp42h+ObOZQ MecRA4sL/wG5TBJ3/xxWK5Jztun/gpb43JHm2Oaw80LJpsHY5s cTBojdypmRoLfQWPN0yl/v+ccOx35jn4sfXw4b703jw1F5es7P cUoiaR9Xudjx+yj/qRN9O5QoctRim1lFhH8ebRXfUVkpF/4Pp5 +hx1iTkwlW9m4TwHccsSmAbH0FS66qG6BLgsaIYZbhCvd4+daE LP+5VYpq94vRcDoxpaJy7NjsFlb0trXwfLIe8q1s+1PfOvRBB0 2T+h+E= X-UI-Out-Filterresults: notjunk:1;V01:K0:5uQBWbOhmUQ=:owUSapeucEWnXWA24j/e8l nfRNoxSF40xBZQfeTZj1LiT38dKGOzFa881vCMEk0SxYJs525Cdo8uSSicqXpZhfwyYbJwwwc zsA25NDoiBheXpG03KHDshXPajOBVpMDKwHIbtiIKQL71dTSo90+k+j7cVWuCzNCYAd+7rUIp JaHALnEEIfaX3W0oLz5jeGmnfcChFAPlmZMZCfGLgKNOWE+LRpb/CmSuNjKytSdMZRS179MNc awYZMhVyicZg0uT28njqU4EpH2Y6zjOKYARIhNIibZFOLW5LI9IqLHxVTGpfwJlAuEZSR1Wxo xWqFAzaVP+5f52LXyuM0x0EOuaFxfgGVbVr87iTASiZVMVZTb5geaQtQNrOmywpBGlgaI8y65 V75crWFwE5fcYjfjW2eTRDdiH1/bxXIWRV5eC3hvsJ/jOz0BYeUXeeCNyoRoob9LLhSgxkcfL fmo+SVp9x4KrMPoGjTLR5xWRIOJ5d5bDk9FTb+93ng9gt/aIzbMq Hello Alpinists. I thought abuild refused to build packages in case the sha512sum was absent or wrong. So when I noticed a commit that pushed a package with no sha512sum I expected it to fail. https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0 But to my surprise the package was built! It can now be found on the official repository. If the sha512sum is being ignored and any package is being built and distributed... this sounds like security issue. If I made any mistake please clear up. But as I understand right now py-redis was built and distributed without verification of sha512sum. tmpfile. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---