Hi, I have checked the file on the server and they haven't been altered (you can check by yourself, most of the time I add a .asc file to sign the tarball).
Although, given that the warning about suspicious file is in Chrome, I don't see how it ends up into OPAM. FYI, thanks to Törok investigation and Google Webmaster Tools, we found the error: https://www.virustotal.com/en/file/abc78143f1a4c5e4626e31654f9d0efdc328a05c346ce4fa696cd31baa691962/analysis/ The problem is that gdk_pixbuf_mlsources is considered as a virus (same for labgladecc2). They actually don't contain any viruses, this is just a false positive on OCaml compiled bytecode program. Regards Sylvain Le lun. 28 mars 2016 à 16:12, Gabriel Scherer <gabriel.sche...@gmail.com> a écrit : > There was news from malicious uploads on the forge from Sylvain yesterday: > https://forge.ocamlcore.org/forum/forum.php?forum_id=930 > > On Mon, Mar 28, 2016 at 3:46 PM, Anil Madhavapeddy <a...@recoil.org> > wrote: > >> Does anyone have time to check the forge distfiles to see if they've been >> altered maliciously? >> >> I see this in some builds: >> >> /home/opam/.opam/packages.dev/ounit.2.0.0/ounit-2.0.0.tar.gz: >> - 2e0a24648c55005978d4923eb4925b28 [expected result] >> - 0f4f7cf8741d98cb419e45cc69962600 [actual result] >> This may be fixed by running `opam update`. >> >> and the below spyware warning is very concerning indeed. >> >> -a >> >> >> > Begin forwarded message: >> > >> > From: Aaron Cornelius <aaron.cornel...@dornerworks.com> >> > Subject: Re: [MirageOS-devel] ounit dependency failing for mirage-xen >> package >> > Date: 28 March 2016 at 14:08:11 BST >> > To: <tal...@gmail.com> >> > Cc: mirageos-de...@lists.xenproject.org >> > >> > On 3/26/2016 7:05 AM, Thomas Leonard wrote: >> >> On 23 March 2016 at 16:25, Aaron Cornelius >> >> <aaron.cornel...@dornerworks.com> wrote: >> >>> I am setting up a new cubieboard today with mirage, but when >> attempting to >> >>> install the necessary opam packages I get the following md5sum error >> on the >> >>> downloaded package: >> >>> >> >>> [ERROR] Bad checksum for >> >>> /home/mirage/.opam/packages.dev/ounit.2.0.0/ounit-2.0.0.tar.gz: >> >>> - 2e0a24648c55005978d4923eb4925b28 [expected result] >> >>> - db53f6fe7559ddf572f672cbe2983f13 [actual result] >> >>> This may be fixed by running `opam update`. >> >>> >> >>> I have tried 4 times and received 4 different md5sums for the >> downloaded package. >> >>> >> >>> Anyone have an idea what might be going on here? I don't remember >> having this >> >>> much trouble in the past. >> >> >> >> It works for me. Try downloading the archive manually and checking to >> >> see what's inside it (I'm guessing some kind of server error message). >> >> >> >> http://forge.ocamlcore.org/frs/download.php/1258/ounit-2.0.0.tar.gz >> > >> > I discovered the problem, it appears that forge.ocamlcore.org is now >> on some >> > sort of spam/virus/spyware list and where I work is blocking access to >> it. When >> > I try to download the file directly in chrome I get a google warning as >> well. >> > >> > For the moment I created my own development opam repo and patched the >> ounit >> > requirement out of the xen-evtchn/xen-gnt/xenstore packages. >> > >> > _______________________________________________ >> > MirageOS-devel mailing list >> > mirageos-de...@lists.xenproject.org >> > http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel >> >> _______________________________________________ >> opam-devel mailing list >> opam-devel@lists.ocaml.org >> http://lists.ocaml.org/listinfo/opam-devel >> > >
_______________________________________________ opam-devel mailing list opam-devel@lists.ocaml.org http://lists.ocaml.org/listinfo/opam-devel
