[opam-devel] Fwd: [MirageOS-devel] ounit dependency failing for mirage-xen package

Sylvain Le Gall gildor478 at gmail.com
Tue Mar 29 07:04:43 BST 2016


Hi,

I have checked the file on the server and they haven't been altered (you
can check by yourself, most of the time I add a .asc file to sign the
tarball).

Although, given that the warning about suspicious file is in Chrome, I
don't see how it ends up into OPAM.

FYI, thanks to Törok investigation and Google Webmaster Tools, we found the
error:
https://www.virustotal.com/en/file/abc78143f1a4c5e4626e31654f9d0efdc328a05c346ce4fa696cd31baa691962/analysis/

The problem is that gdk_pixbuf_mlsources is considered as a virus (same for
labgladecc2). They actually don't contain any viruses, this is just a false
positive on OCaml compiled bytecode program.

Regards
Sylvain

Le lun. 28 mars 2016 à 16:12, Gabriel Scherer <gabriel.scherer at gmail.com> a
écrit :

> There was news from malicious uploads on the forge from Sylvain yesterday:
>   https://forge.ocamlcore.org/forum/forum.php?forum_id=930
>
> On Mon, Mar 28, 2016 at 3:46 PM, Anil Madhavapeddy <anil at recoil.org>
> wrote:
>
>> Does anyone have time to check the forge distfiles to see if they've been
>> altered maliciously?
>>
>> I see this in some builds:
>>
>>         /home/opam/.opam/packages.dev/ounit.2.0.0/ounit-2.0.0.tar.gz:
>>           - 2e0a24648c55005978d4923eb4925b28 [expected result]
>>           - 0f4f7cf8741d98cb419e45cc69962600 [actual result]
>>         This may be fixed by running `opam update`.
>>
>> and the below spyware warning is very concerning indeed.
>>
>> -a
>>
>>
>> > Begin forwarded message:
>> >
>> > From: Aaron Cornelius <aaron.cornelius at dornerworks.com>
>> > Subject: Re: [MirageOS-devel] ounit dependency failing for mirage-xen
>> package
>> > Date: 28 March 2016 at 14:08:11 BST
>> > To: <talex5 at gmail.com>
>> > Cc: mirageos-devel at lists.xenproject.org
>> >
>> > On 3/26/2016 7:05 AM, Thomas Leonard wrote:
>> >> On 23 March 2016 at 16:25, Aaron Cornelius
>> >> <aaron.cornelius at dornerworks.com> wrote:
>> >>> I am setting up a new cubieboard today with mirage, but when
>> attempting to
>> >>> install the necessary opam packages I get the following md5sum error
>> on the
>> >>> downloaded package:
>> >>>
>> >>> [ERROR] Bad checksum for
>> >>> /home/mirage/.opam/packages.dev/ounit.2.0.0/ounit-2.0.0.tar.gz:
>> >>>          - 2e0a24648c55005978d4923eb4925b28 [expected result]
>> >>>          - db53f6fe7559ddf572f672cbe2983f13 [actual result]
>> >>>        This may be fixed by running `opam update`.
>> >>>
>> >>> I have tried 4 times and received 4 different md5sums for the
>> downloaded package.
>> >>>
>> >>> Anyone have an idea what might be going on here?  I don't remember
>> having this
>> >>> much trouble in the past.
>> >>
>> >> It works for me. Try downloading the archive manually and checking to
>> >> see what's inside it (I'm guessing some kind of server error message).
>> >>
>> >>  http://forge.ocamlcore.org/frs/download.php/1258/ounit-2.0.0.tar.gz
>> >
>> > I discovered the problem, it appears that forge.ocamlcore.org is now
>> on some
>> > sort of spam/virus/spyware list and where I work is blocking access to
>> it.  When
>> > I try to download the file directly in chrome I get a google warning as
>> well.
>> >
>> > For the moment I created my own development opam repo and patched the
>> ounit
>> > requirement out of the xen-evtchn/xen-gnt/xenstore packages.
>> >
>> > _______________________________________________
>> > MirageOS-devel mailing list
>> > MirageOS-devel at lists.xenproject.org
>> > http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel
>>
>> _______________________________________________
>> opam-devel mailing list
>> opam-devel at lists.ocaml.org
>> http://lists.ocaml.org/listinfo/opam-devel
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ocaml.org/pipermail/opam-devel/attachments/20160329/551640c5/attachment.html>


More information about the opam-devel mailing list