freetds-1.4.tar.bz2 file has been modified

Question

freetds-1.4.tar.bz2 file has been modified

fxcoudert opened this issue a year ago · 5 comments

The source file https://www.freetds.org/files/stable/freetds-1.4.tar.bz2 has been modified today on the server. Homebrew had a SHA-256 checksum for that file of 1dd62979822d46ca67635bf7114f84255016b49bd9e262f254067455238dbb70 (which was recorded by our servers as correct on 2023-09-23 18:08:50 -0700). The checksum as of today is 35cb55743c5c2e0b579caf180eebb5cb4a65155b7c7aa3428c1b6b5d3cc291f4 and the modification date of the file is listed as 2023-09-25.

Has the file been tampered with?

Answer 1 · 2023-09-25T19:17:58.000Z

No, silly mistake not updating some note files. Only README.md file was changed.

Answer 2 · 2023-09-25T19:19:21.000Z

Thanks for the check, it could prevent future tampering.

Answer 3 · 2023-09-25T19:21:37.000Z

For the check to be effective, if would be good if released source files were considered stable, i.e., not replaced after they have been published. Re-releasing another file under the same name makes our job harder, and weakens the safety.

Answer 4 · 2023-09-25T19:24:25.000Z

For the check to be effective, if would be good if released source files were considered stable, i.e., not replaced after they have been published. Re-releasing another file under the same name makes our job harder, and weakens the safety.

Obviously. But the world is not perfect

Answer 5 · 2023-09-25T19:26:25.000Z

I mean, you could have released a 1.4.1 file. That guarantees stability of the published files, and allows distros to pick up your changes.