1.5.10 tag problem of security

[Neustradamus]

@Sebastian-Roth: There is a problem of security, 1.5.10 tag has been changed, never do it!

• https://github.com/FOGProject/fogproject/tree/1.5.10

You need to replace the current 1.5.10 tag by the original tag. And create a new tag for 1.5.10.4.

5 March 2023, 1.5.10 must be: https://github.com/FOGProject/fogproject/commit/65fe719e58f89398a1e3f45412d7305993eb282e

31 March 2023, 1.5.10.4 must be: https://github.com/FOGProject/fogproject/commit/3eaa83b73ffa59e5b0ea6009b361c9d0b3c08443

If there is a problem with 1.5.10.x, you must to create a 1.5.11.

Thanks in advance.

[darksidemilk]

How is this a security problem ?

[Neustradamus]

The 1.5.10 tag has been changed, the checksum has been modified too. I know that FOG Project has not published official release checksums but users compare for security. And original checksum is not the same that today.

You can see: Release from 5 March 2023 with assets from 31 March 2023:

• https://github.com/FOGProject/fogproject/releases/tag/1.5.10

[Sebastian-Roth]

@Neustradamus said:

There is a problem of security, 1.5.10 tag has been changed, never do it!

Can you give us some more information on why this should never be done. May I also ask you to link to other references saying this is a no-go.

Sure you are right changing an official release tag is not a great thing to do. But there were good reasons I think. Running the installer from the earlier tagged as 1.5.10 (65fe719) source with the location plugin enabled would inevitably break the web UI access. This is a direct result of too few people being involved in FOG development and namely testing before a release and me trying to get 1.5.10 out with not enough time on my hands to do all the testing on a very long and busy FOG weekend. Not complaining, just saying how I see it.

You need to replace the current 1.5.10 tag by the original tag.

I don't see the reasons for that yet and I am not going to change it back unless you are going to handle all support cases in the forums and on Github related to issues with installing the earlier tagged as 1.5.10 (65fe719) source!! As I said, this would be anyone who has the location plugin enabled.

If there is a problem with 1.5.10.x, you must to create a 1.5.11.

We thought about that too. But it would still leave a gap for people to fall into when using 1.5.10 just because they have not heard there is a show stopping bug in there.

The 1.5.10 tag has been changed, the checksum has been modified too.

Yes and as well we have updated all the release information right at that same moment: https://github.com/FOGProject/fogproject/blame/cd027f0625fa092592c16c917ba6b441a4d8a81b/Release%20Notes.MD#L22 https://forums.fogproject.org/topic/16726/fog-1-5-10-officially-released https://news.fogproject.org/fog-1-5-10-officially-released/

I know that FOG Project has not published official release checksums but users compare for security.

Well, we do publish checksums on the website and have done so for a long time - see https://fogproject.org/download

[Neustradamus]

@Sebastian-Roth: An example for verification: https://github.com/buildroot/buildroot/commit/8ac75a9a21743888fc56421f47fae82d22351c12

For example, you can see here: https://fossies.org/linux/misc/fogproject-1.5.10.tar.gz/

The solution is to have the good original 1.5.10 tag and to create a new tag "1.5.10.x" or "1.5.11".

[Neustradamus]

@fogproject, @Sebastian-Roth and others,

Have you looked to solve this problem?

Put the original tag and create a new tag with a new version...

In the 1.5.10 announcement, please add a link to the new announcement version with explanation that it is important to install the new build.

[darksidemilk]

I'm still unclear as to how this creates a security issue.

[darksidemilk]

If it is, we may want to just delete the 1.5.10 release and just release a 1.5.11 or make 1.5.10.4 the main release? But again, I'm not sure how this creates any direct security issues. I haven't been able to find any references saying that changing a release tag is a security issue, I think @Sebastian-Roth would agree that we would just like to see some more documentation before implementing a change that will affect so many.

[Neustradamus]

The security problem is here because there are two different 1.5.10 builds in time: One from 5 March and a second from 31 March.

It is not possible to have the 1.5.10 original tag and create a new tag with 1.5.10.x/1.5.11?

If one people install the original 1.5.10, it is possible to update 1.5.10.x or 1.5.11 no?

[Quazz]

The security problem is here because there are two different 1.5.10 builds in time: One from 5 March and a second from 31 March.

It is not possible to have the 1.5.10 original tag and create a new tag with 1.5.10.x/1.5.11?

If one people install the original 1.5.10, it is possible to update 1.5.10.x or 1.5.11 no?

While hash systems are used for verification and in some cases for security goals, there is no security concerns related to github tags with a different hash.

The hash, in fact, is there specifically so it can still update even if the tag or release is otherwise identical. Other systems (such as composer) also do this.

While it's certainly a convention to release minor patch versions for bugfixes, it's by no means a hard rule. I would only argue in favor of it for virtue of making it easier to help people if they run into problems with their version. (but then again, the first thing they're likely to try is to look for an update which would make that point invalid anyway...)

[Neustradamus]

@FOGProject team, @Sebastian-Roth: Have you progressed on this problem?

[Sebastian-Roth]

@Neustradamus I still don't see how we can progress on this topic as I don't see this as a (security) problem you are pointing out - along with the comments from other people.

The one example you mentioned (https://fossies.org/linux/misc/fogproject-1.5.10.tar.gz/) is really out of our scope. Maybe we can get in contact (https://fossies.org/comments.html) to inform them about updating as well but that's about it.

Edit: I just sent out an email to fossies.org

[Sebastian-Roth]

So https://fossies.org/linux/misc/fogproject-1.5.10.tar.gz/ is updated now thanks to Jens! I am going to close this topic now. If there are still other archives with the old information (checksum, ...) you are free to contact those people or let us know.