https://bugs.documentfoundation.org/show_bug.cgi?id=164790
--- Comment #10 from Dan Dascalescu <[email protected]> --- Sorry for not reading all the comments, but I wanted to add my request to PLEASE add the version number in the AppImage download URLs because something seems really fishy: 1. If downloaded at the time of this writing, the "Fresh" and "Still" .AppImage files are identical. 2. More worrying, the version is the same, INCLUDING THE BUILD NUMBER, as a previous 24.8.4.2 AppImage, with the SAME SIZE, but DIFFERENT CHECKSUM, that I downloaded on Jan 16. I don't know if this means an AppImage was maliciously compromised, but it doesn't look good. Here's what I did / reproduction steps: First, I downloaded the AppImage files from the URLs listed at https://www.libreoffice.org/download/appimage/. The download was very slow, ~200KB/s. ``` wget https://appimages.libreitalia.org/LibreOffice-fresh.basic-x86_64.AppImage wget https://appimages.libreitalia.org/LibreOffice-still.basic-x86_64.AppImage ``` Then, after chmod +x, I wanted to rename the .AppImage files to include the version names: ``` $ ./LibreOffice-fresh.basic-x86_64.AppImage --version LibreOffice 24.8.4.2 bb3cfa12c7b1bf994ecc5649a80400d06cd71002 ``` What? I expected "fresh" to be v25.2.0, not 24.8.4.2. Anyway, I renamed that file to `LibreOffice-fresh.basic-24.8.4.2_build_bb3.AppImage`, and my previous 2.8.4.2 version to `LibreOffice-fresh.basic-24.8.4.2_ALSO_build_bb3.AppImage`. $ ./LibreOffice-fresh.basic-24.8.4.2_ALSO_build_bb3.AppImage --version LibreOffice 24.8.4.2 bb3cfa12c7b1bf994ecc5649a80400d06cd71002 Same version, same build, strange. Then I ran `LibreOffice-still.basic-x86_64.AppImage --version and saw it displayed the same version and build number, and had the same size. OK, let's run `ls` and checksums: ``` $ ls -l --time-style=+%Y-%m-%d LibreOffice-* | awk '{print $6, $5, $7}' 2025-01-16 285856960 LibreOffice-fresh.basic-24.8.4.2_ALSO_build_bb3.AppImage 2025-02-08 285856960 LibreOffice-fresh.basic-24.8.4.2_build_bb3.AppImage 2025-02-08 285856960 LibreOffice-still.basic-x86_64.appimage $ sha256sum LibreOffice-* 32ae5eedf6799d8110736010a9bdecb8cd67d3446e2420188098845402192031 LibreOffice-fresh.basic-24.8.4.2_ALSO_build_bb3.AppImage 0f3b5be47a5cbfa88148f49903a8cac5281c68071b1e8ab52c8944f7f93bd6b7 LibreOffice-fresh.basic-24.8.4.2_build_bb3.AppImage 0f3b5be47a5cbfa88148f49903a8cac5281c68071b1e8ab52c8944f7f93bd6b7 LibreOffice-still.basic-x86_64.AppImage $ diff LibreOffice-fresh.basic-24.8.4.2_build_bb3.AppImage LibreOffice-still.basic-x86_64.AppImage # sanity check $ # Questions 1. Why is https://appimages.libreitalia.org/LibreOffice-fresh.basic-x86_64.AppImage not v 25.2.0? Ok, maybe that was a mistake in naming the file. 2. But why do the 2.8.4.2 builds have the same size, version, and build number, but different checksums? I've uploaded my pre-Jan 16 AppImage to https://filebin.net/przywkhdxl5ix2hx if that helps. Virustotal doesn't show any vendor warnings for either file but that doesn't mean much if a version was, for example, slightly modified to upload your documents to an attacker. -- You are receiving this mail because: You are the assignee for the bug.
