[opensuse] suse 13.2: uncredited source used in shadowutils: where from?
I was trying to figure out a behavior/feature in shadowutils and whether it came from the package maintainers, or was an OpenSuse addition as wanted to know where the scripts: "useradd.local" and "groupadd.local" came from. I wanted to report one or more problems affecting both scripts and didn't know if it should be reported to the package "owners"[?] or opensuse. I installed the source rpm for "shadowutils-4.1.5" and then thought it might be as fast or faster to look at the sources from the package URL citing http://pkg-shadow.alioth.debian.org/ . On the site, I see the latest tars being 4.1.4, 4.2, and 4.2.1. I see no listing for the tarball used by OpenSUSE, neither 4.1.5.1 nor 4.1.5. I'm wondering where these packages came from (as well as wondering how 4.1.5 was "listed as being from the "alioth" source server when the source server has no such tar. It may be no big deal, but usually when I see a URL where the source tar is supposed to be from, it's usually verifiable as being there and, for the times I've checked, is usually the same tarball. In this case, taking a security-minded stance, I can't check any signature or checksum to verify that the tarball used to create opensuse binaries was from the attributed website. I'm sure there's some good explanation, but isn't this something that shouldn't happen for released software? Where *DID*, 4.1.5 (and 4.1.5.1) come from -- are they opensuse created versions? Should opensuse be creating versions of packages that are easily confused with the version numbers used on the original site? I.e. normally, I see something like 4.1.4_2.37, where the part after the "_" is some suse-specific/internal version. If the package owners didn't created the source for suse's package, who did? While I might have some belief in the security of the package on the package's source site, what is known about the 4.1.5.1 or 4.1.5 packages? Could they have a malware or a rootkit embedded -- since they aren't easily verified for content as they didn't come from the official source for this package... ??? Thanks... -l -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue 01 Nov 2016 06:26:50 PM CDT, L. A. Walsh wrote:
I was trying to figure out a behavior/feature in shadowutils and whether it came from the package maintainers, or was an OpenSuse addition as wanted to know where the scripts:
"useradd.local" and "groupadd.local"
came from.
I wanted to report one or more problems affecting both scripts and didn't know if it should be reported to the package "owners"[?] or opensuse.
I installed the source rpm for "shadowutils-4.1.5" and then thought it might be as fast or faster to look at the sources from the package URL citing http://pkg-shadow.alioth.debian.org/ .
On the site, I see the latest tars being 4.1.4, 4.2, and 4.2.1.
I see no listing for the tarball used by OpenSUSE, neither 4.1.5.1 nor 4.1.5.
I'm wondering where these packages came from (as well as wondering how 4.1.5 was "listed as being from the "alioth" source server when the source server has no such tar.
It may be no big deal, but usually when I see a URL where the source tar is supposed to be from, it's usually verifiable as being there and, for the times I've checked, is usually the same tarball.
In this case, taking a security-minded stance, I can't check any signature or checksum to verify that the tarball used to create opensuse binaries was from the attributed website.
I'm sure there's some good explanation, but isn't this something that shouldn't happen for released software?
Where *DID*, 4.1.5 (and 4.1.5.1) come from -- are they opensuse created versions? Should opensuse be creating versions of packages that are easily confused with the version numbers used on the original site? I.e. normally, I see something like 4.1.4_2.37, where the part after the "_" is some suse-specific/internal version.
If the package owners didn't created the source for suse's package, who did? While I might have some belief in the security of the package on the package's source site, what is known about the 4.1.5.1 or 4.1.5 packages? Could they have a malware or a rootkit embedded -- since they aren't easily verified for content as they didn't come from the official source for this package...
???
Thanks... -l
I would guess it's from the github repo... http://pkg-shadow.alioth.debian.org/download.php Upstream Git Repository Ongoing development work is done on github. https://github.com/shadow-maint/shadow/releases?after=upstream%2F4.2 -- Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890) openSUSE Leap 42.1|GNOME 3.16.2|4.1.34-33-default up 3 days 8:47, 4 users, load average: 0.40, 0.33, 0.25 CPU AMD Athlon(tm) II X4 635 @ 2.90GHz | GPU Nvidia GeForce 8800 GT -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
L. A. Walsh -
Malcolm