<div dir="ltr">There was news from malicious uploads on the forge from Sylvain yesterday:<br> <a href="https://forge.ocamlcore.org/forum/forum.php?forum_id=930">https://forge.ocamlcore.org/forum/forum.php?forum_id=930</a><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 28, 2016 at 3:46 PM, Anil Madhavapeddy <span dir="ltr"><<a href="mailto:anil@recoil.org" target="_blank">anil@recoil.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Does anyone have time to check the forge distfiles to see if they've been altered maliciously?<br>
<br>
I see this in some builds:<br>
<br>
/home/opam/.opam/packages.dev/ounit.2.0.0/ounit-2.0.0.tar.gz:<br>
- 2e0a24648c55005978d4923eb4925b28 [expected result]<br>
- 0f4f7cf8741d98cb419e45cc69962600 [actual result]<br>
This may be fixed by running `opam update`.<br>
<br>
and the below spyware warning is very concerning indeed.<br>
<br>
-a<br>
<br>
<br>
> Begin forwarded message:<br>
><br>
> From: Aaron Cornelius <<a href="mailto:aaron.cornelius@dornerworks.com">aaron.cornelius@dornerworks.com</a>><br>
> Subject: Re: [MirageOS-devel] ounit dependency failing for mirage-xen package<br>
> Date: 28 March 2016 at 14:08:11 BST<br>
> To: <<a href="mailto:talex5@gmail.com">talex5@gmail.com</a>><br>
> Cc: <a href="mailto:mirageos-devel@lists.xenproject.org">mirageos-devel@lists.xenproject.org</a><br>
><br>
> On 3/26/2016 7:05 AM, Thomas Leonard wrote:<br>
>> On 23 March 2016 at 16:25, Aaron Cornelius<br>
>> <<a href="mailto:aaron.cornelius@dornerworks.com">aaron.cornelius@dornerworks.com</a>> wrote:<br>
>>> I am setting up a new cubieboard today with mirage, but when attempting to<br>
>>> install the necessary opam packages I get the following md5sum error on the<br>
>>> downloaded package:<br>
>>><br>
>>> [ERROR] Bad checksum for<br>
>>> /home/mirage/.opam/packages.dev/ounit.2.0.0/ounit-2.0.0.tar.gz:<br>
>>> - 2e0a24648c55005978d4923eb4925b28 [expected result]<br>
>>> - db53f6fe7559ddf572f672cbe2983f13 [actual result]<br>
>>> This may be fixed by running `opam update`.<br>
>>><br>
>>> I have tried 4 times and received 4 different md5sums for the downloaded package.<br>
>>><br>
>>> Anyone have an idea what might be going on here? I don't remember having this<br>
>>> much trouble in the past.<br>
>><br>
>> It works for me. Try downloading the archive manually and checking to<br>
>> see what's inside it (I'm guessing some kind of server error message).<br>
>><br>
>> <a href="http://forge.ocamlcore.org/frs/download.php/1258/ounit-2.0.0.tar.gz" rel="noreferrer" target="_blank">http://forge.ocamlcore.org/frs/download.php/1258/ounit-2.0.0.tar.gz</a><br>
><br>
> I discovered the problem, it appears that <a href="http://forge.ocamlcore.org" rel="noreferrer" target="_blank">forge.ocamlcore.org</a> is now on some<br>
> sort of spam/virus/spyware list and where I work is blocking access to it. When<br>
> I try to download the file directly in chrome I get a google warning as well.<br>
><br>
> For the moment I created my own development opam repo and patched the ounit<br>
> requirement out of the xen-evtchn/xen-gnt/xenstore packages.<br>
><br>
> _______________________________________________<br>
> MirageOS-devel mailing list<br>
> <a href="mailto:MirageOS-devel@lists.xenproject.org">MirageOS-devel@lists.xenproject.org</a><br>
> <a href="http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel" rel="noreferrer" target="_blank">http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel</a><br>
<br>
_______________________________________________<br>
opam-devel mailing list<br>
<a href="mailto:opam-devel@lists.ocaml.org">opam-devel@lists.ocaml.org</a><br>
<a href="http://lists.ocaml.org/listinfo/opam-devel" rel="noreferrer" target="_blank">http://lists.ocaml.org/listinfo/opam-devel</a><br>
</blockquote></div><br></div>