Project

General

Profile

Actions

Defect #38874

closed

The entire library of binaries https://redmine.org/releases/ is recompiled

Added by A Fora 7 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Website (redmine.org)
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Wont fix
Affected version:

Description

Is there any particular reason why all binaries in https://redmine.org/releases/ are recompiled on March 20, 2023? I checked a couple of sha256s and while they are OK, this is highly suspicious activity.

I'd expect binaries to be committed once, and not to be tempered again.

Could anyone confirm if this is a flaw in some workflow and if you could revert back to historically timestamped dates. I appreciate that anything can be tempered with, but it's so much more difficult for a hostile actor to manually change dates in hundreds of files individually, rather than in a single go. The latter is one possible explanation of why what I found on https://redmine.org/releases/ has happened. It's probably not, but still. Not touching old binaries is just a better practice for some sort of community auditability.

Otherwise, many thanks guys. It's a fantastic product!

Actions #1

Updated by Go MAEDA 7 months ago

  • Category set to Website (redmine.org)

I think the recompile is due to the server migration of www.redmine.org. On March 23, Jean-Philippe Lang switched the server and updated the version of Redmine that is running on www.redmine.org.

Actions #2

Updated by Go MAEDA 7 months ago

  • Status changed from New to Closed
  • Resolution set to Wont fix
Actions

Also available in: Atom PDF