Project

General

Profile

Actions

Defect #38874

closed

The entire library of binaries https://redmine.org/releases/ is recompiled

Added by A Fora over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Website (redmine.org)
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Wont fix
Affected version:

Description

Is there any particular reason why all binaries in https://redmine.org/releases/ are recompiled on March 20, 2023? I checked a couple of sha256s and while they are OK, this is highly suspicious activity.

I'd expect binaries to be committed once, and not to be tempered again.

Could anyone confirm if this is a flaw in some workflow and if you could revert back to historically timestamped dates. I appreciate that anything can be tempered with, but it's so much more difficult for a hostile actor to manually change dates in hundreds of files individually, rather than in a single go. The latter is one possible explanation of why what I found on https://redmine.org/releases/ has happened. It's probably not, but still. Not touching old binaries is just a better practice for some sort of community auditability.

Otherwise, many thanks guys. It's a fantastic product!

Actions

Also available in: Atom PDF