[Hamlib-developer] modified distfile with hamlib 4.5 release (possible security issue)

[Greg T. <gd...@le...>]

Nate Bargmann <n0...@n0...> writes:

> After months of work by Mike and many contributors, Hamlib 4.5 is
> released to the wild.  Downloads are available from:
>
> https://github.com/Hamlib/Hamlib/releases/tag/4.5
>
> https://sourceforge.net/projects/hamlib/files/hamlib/4.5/

I updated the pkgsrc entry for hamlib shortly after the announcement, on
November 1.  It built and passed tests fine on NetBSD 9 amd64.  I
probably didn't say anything because it working isn't news.

pkgsrc, like many other packaging systems, records checksums for
distfiles, so that users will build the same thing the packager tested,
and to detect supply chain attacks on upstream.

I just received a report that the downloaded distfile failed
checksumming.  I set aside my copy from before and downloaded again, and
indeed it is different.  In general, it is not ok for upstreams to
modify a distfile once it is posted because of the security concerns
around unauthorized modifications and the mechanisms to deal with them.
github doesn't really support posting tarballs, but it "modifying
distfile" translates to "moving tags".

I unpacked both.  One has hamlib-4.5 and the other Hamlib-4.5.
Accounting for that (which seems like a bug - 4.3.1 is lower case),
there are very many differences.

I didn't see any announcement about this.

So it looks like the 4.5 distfile got broken somehow, and I'm unable to
convince myself that this wasn't an attack (even if I would guess that
it's much more likely not an attack).

Looking at github, the 4.5 tag seems older than my first download.

Starting to read the diff from 4.3.1 to my first download of 4.5, it
makes sense.

The diff from my first download of 4.5 to doing it again today is huge.

Is anybody else seeing this?  Does anybody else know what's going on?

73 de n1dam


Beginning of 4.5-earlier to 4.5-now diff:

Only in NEW/hamlib: .editorconfig
Only in NEW/hamlib: .github
Only in NEW/hamlib: .gitignore
Only in NEW/hamlib: Makefile.Windows
Only in ORIG/hamlib: Makefile.in
Only in NEW/hamlib: README.coding_style
Only in NEW/hamlib: README.md
Only in NEW/hamlib: README.release
Only in NEW/hamlib: README.win32
Only in NEW/hamlib: SECURITY.md
Only in NEW/hamlib: Segfault-award
Only in NEW/hamlib: VFOs.txt
Only in ORIG/hamlib: aclocal.m4
Only in ORIG/hamlib/amplifiers/elecraft: Makefile.in
Only in ORIG/hamlib/amplifiers/gemini: Makefile.in
Only in ORIG/hamlib/android: Makefile.in
Only in ORIG/hamlib/bindings: Makefile.in
Only in NEW/hamlib/bindings: csharp
Only in NEW/hamlib/bindings: hamlibvb.bas.in
Only in NEW/hamlib/bindings: phpdemo.php
Only in NEW/hamlib: bootstrap
Only in ORIG/hamlib: build-aux
Only in ORIG/hamlib/c++: Makefile.in
Only in ORIG/hamlib: configure
Only in NEW/hamlib: cppcheck.sh
Only in ORIG/hamlib/doc: Makefile.in
Only in NEW/hamlib/doc: README.man-pages
Only in ORIG/hamlib/doc: hamlib.cfg
Only in NEW/hamlib/doc: manuals
Only in NEW/hamlib/doc: split-man.pl
Only in NEW/hamlib: docker-build
Only in NEW/hamlib: extra
Only in ORIG/hamlib/include: Makefile.in
Only in ORIG/hamlib/include/hamlib: config.h
Only in ORIG/hamlib/include/hamlib: config.h.in
Only in NEW/hamlib/include/hamlib: winpthreads.h
Only in ORIG/hamlib/lib: Makefile.in
Only in ORIG/hamlib/macros: Makefile.in
Only in ORIG/hamlib/macros: libtool.m4
Only in ORIG/hamlib/macros: ltoptions.m4
Only in ORIG/hamlib/macros: ltsugar.m4
Only in ORIG/hamlib/macros: ltversion.m4
Only in ORIG/hamlib/macros: lt~obsolete.m4
Only in NEW/hamlib: perl