Defect #38874
closedThe entire library of binaries https://redmine.org/releases/ is recompiled
0%
Description
Is there any particular reason why all binaries in https://redmine.org/releases/ are recompiled on March 20, 2023? I checked a couple of sha256s and while they are OK, this is highly suspicious activity.
I'd expect binaries to be committed once, and not to be tempered again.
Could anyone confirm if this is a flaw in some workflow and if you could revert back to historically timestamped dates. I appreciate that anything can be tempered with, but it's so much more difficult for a hostile actor to manually change dates in hundreds of files individually, rather than in a single go. The latter is one possible explanation of why what I found on https://redmine.org/releases/ has happened. It's probably not, but still. Not touching old binaries is just a better practice for some sort of community auditability.
Otherwise, many thanks guys. It's a fantastic product!