Defect #38874
closed
The entire library of binaries https://redmine.org/releases/ is recompiled
0%
Description
Is there any particular reason why all binaries in https://redmine.org/releases/ are recompiled on March 20, 2023? I checked a couple of sha256s and while they are OK, this is highly suspicious activity.
I'd expect binaries to be committed once, and not to be tempered again.
Could anyone confirm if this is a flaw in some workflow and if you could revert back to historically timestamped dates. I appreciate that anything can be tempered with, but it's so much more difficult for a hostile actor to manually change dates in hundreds of files individually, rather than in a single go. The latter is one possible explanation of why what I found on https://redmine.org/releases/ has happened. It's probably not, but still. Not touching old binaries is just a better practice for some sort of community auditability.
Otherwise, many thanks guys. It's a fantastic product!
Updated by Go MAEDA 9 months ago
- Category set to Website (redmine.org)
I think the recompile is due to the server migration of www.redmine.org. On March 23, Jean-Philippe Lang switched the server and updated the version of Redmine that is running on www.redmine.org.