Content
View differences
Updated by Boris Lukashev over 5 years ago
### **Environment**:
OpenProject Version: 11.0.0
### **Concern**
* Security-oriented companies use checksums to verify the integrity of released code by vendors
* When vendors try to hide bugs in a release by re-releasing it, they:
* cause consumers using an SDLC to have to either determine that the upstream repo is poisoned and terminate use/start response procedures
* cause consumers to develop a lax posture _expecting_ the vendor to screw with release semantics
* shake confidence in the professional integrity of the outfit looking to hide a "bad" release
* Sha512 sum before the silent re-release: `21241760dbefc085fd242f6af73b4c866fe91ceb6911583f0a13298c8ae92a190d6816e0d98d6a48a78ea3989c9a19560a34328be3ea6dac0f3ac78388a59618`
* Sha512 sum after re-release: `21241760dbefc085fd242f6af73b4c866fe91ceb6911583f0a13298c8ae92a190d6816e0d98d6a48a78ea3989c9a19560a34328be3ea6dac0f3ac78388a59618`
### **Steps to reproduce:**
1. Use sha512 to ensure that the downloaded archive from GH is correct
2. Get errors on sha512 sum when upstream _re-releases an already tagged version again with bugfixes_
### **Clarification Request:**
* Did the OP team re-tag a release on github, _or_ **was the OpenProject GH repo compromised** and have malware injected into the code that runs a reasonable number of critical corporate workflows worldwide?
OpenProject Version: 11.0.0
### **Concern**
* Security-oriented companies use checksums to verify the integrity of released code by vendors
* When vendors try to hide bugs in a release by re-releasing it, they:
* cause consumers using an SDLC to have to either determine that the upstream repo is poisoned and terminate use/start response procedures
* cause consumers to develop a lax posture _expecting_ the vendor to screw with release semantics
* shake confidence in the professional integrity of the outfit looking to hide a "bad" release
* Sha512 sum before the silent re-release: `21241760dbefc085fd242f6af73b4c866fe91ceb6911583f0a13298c8ae92a190d6816e0d98d6a48a78ea3989c9a19560a34328be3ea6dac0f3ac78388a59618`
* Sha512 sum after re-release: `21241760dbefc085fd242f6af73b4c866fe91ceb6911583f0a13298c8ae92a190d6816e0d98d6a48a78ea3989c9a19560a34328be3ea6dac0f3ac78388a59618`
### **Steps to reproduce:**
1. Use sha512 to ensure that the downloaded archive from GH is correct
2. Get errors on sha512 sum when upstream _re-releases an already tagged version again with bugfixes_
### **Clarification Request:**
* Did the OP team re-tag a release on github, _or_ **was the OpenProject GH repo compromised** and have malware injected into the code that runs a reasonable number of critical corporate workflows worldwide?