[opam-devel] Fwd: [MirageOS-devel] ounit dependency failing for mirage-xen package

Gabriel Scherer gabriel.scherer at gmail.com
Mon Mar 28 15:12:15 BST 2016


There was news from malicious uploads on the forge from Sylvain yesterday:
  https://forge.ocamlcore.org/forum/forum.php?forum_id=930

On Mon, Mar 28, 2016 at 3:46 PM, Anil Madhavapeddy <anil at recoil.org> wrote:

> Does anyone have time to check the forge distfiles to see if they've been
> altered maliciously?
>
> I see this in some builds:
>
>         /home/opam/.opam/packages.dev/ounit.2.0.0/ounit-2.0.0.tar.gz:
>           - 2e0a24648c55005978d4923eb4925b28 [expected result]
>           - 0f4f7cf8741d98cb419e45cc69962600 [actual result]
>         This may be fixed by running `opam update`.
>
> and the below spyware warning is very concerning indeed.
>
> -a
>
>
> > Begin forwarded message:
> >
> > From: Aaron Cornelius <aaron.cornelius at dornerworks.com>
> > Subject: Re: [MirageOS-devel] ounit dependency failing for mirage-xen
> package
> > Date: 28 March 2016 at 14:08:11 BST
> > To: <talex5 at gmail.com>
> > Cc: mirageos-devel at lists.xenproject.org
> >
> > On 3/26/2016 7:05 AM, Thomas Leonard wrote:
> >> On 23 March 2016 at 16:25, Aaron Cornelius
> >> <aaron.cornelius at dornerworks.com> wrote:
> >>> I am setting up a new cubieboard today with mirage, but when
> attempting to
> >>> install the necessary opam packages I get the following md5sum error
> on the
> >>> downloaded package:
> >>>
> >>> [ERROR] Bad checksum for
> >>> /home/mirage/.opam/packages.dev/ounit.2.0.0/ounit-2.0.0.tar.gz:
> >>>          - 2e0a24648c55005978d4923eb4925b28 [expected result]
> >>>          - db53f6fe7559ddf572f672cbe2983f13 [actual result]
> >>>        This may be fixed by running `opam update`.
> >>>
> >>> I have tried 4 times and received 4 different md5sums for the
> downloaded package.
> >>>
> >>> Anyone have an idea what might be going on here?  I don't remember
> having this
> >>> much trouble in the past.
> >>
> >> It works for me. Try downloading the archive manually and checking to
> >> see what's inside it (I'm guessing some kind of server error message).
> >>
> >>  http://forge.ocamlcore.org/frs/download.php/1258/ounit-2.0.0.tar.gz
> >
> > I discovered the problem, it appears that forge.ocamlcore.org is now on
> some
> > sort of spam/virus/spyware list and where I work is blocking access to
> it.  When
> > I try to download the file directly in chrome I get a google warning as
> well.
> >
> > For the moment I created my own development opam repo and patched the
> ounit
> > requirement out of the xen-evtchn/xen-gnt/xenstore packages.
> >
> > _______________________________________________
> > MirageOS-devel mailing list
> > MirageOS-devel at lists.xenproject.org
> > http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel
>
> _______________________________________________
> opam-devel mailing list
> opam-devel at lists.ocaml.org
> http://lists.ocaml.org/listinfo/opam-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ocaml.org/pipermail/opam-devel/attachments/20160328/088cbafa/attachment.html>


More information about the opam-devel mailing list