[Bf-committers] Blender 2.80 Release Candidate - master frozen

Dan McGrath danmcgrath.ca at gmail.com
Fri Jul 19 16:36:45 CEST 2019


Hi,

It would appear that a windows virus "info.zip:
Win.Trojan.Coinminer-6622864-0 FOUND" was uploaded to another file in this
directory at the same time that you uploaded the windows RC.

I reported the issue in blender.chat, where some discussion was held by at
least some of the devs, but I would like to bring the matter to your
attention here, as well. With release around the corner, and our binaries
being a valuable target, that clearly was timed to happen during this
upload, I would advise that you at least verify the checksums of the file
that you uploaded, and that we immediately stop using a world writable FTP
for our release.

My recommendation is to immediately disable and remove FTP from our server,
and find alternative and secure means for the developers to share files.
The idea of sftp/scp only accounts on download.blender.org would even be an
improvement. In the long term, even this should be frowned upon though, as
a compromise of our web server (which should be considered to be untrusted,
and in a DMZ), would be a disaster on its own, but less so if we could at
least verify the integrity of the files (Mac/Win at least can be signed).

I would also strong advise that one of the developers create a GPG key that
is stored safely ofline, which can be used to officially sign the MD5/SHA
checksum files, and go through and retroactively sign and checksum our
entire archive as a precaution. This would also allow our users to verify
our downloads via mirror, as right now there is absolutely no way for
people to verify the integrity of non signed files that are acquired over
non secure (HTTPS) means directly from us, let alone files that have been
altered from an infection.


Cheers,

Dan

On Fri, Jul 19, 2019 at 10:06 AM Brecht Van Lommel <
brechtvanlommel at gmail.com> wrote:

> Hey all,
>
> Release candidate 2 is now available for download on blender.org.
>
> Last week a lot of fixes were done still. From this point on we will
> only move over critical fixes to the release branch, it helps to
> mention in the commit log if you want this to happen.
>
> Thanks,
> Brecht.
>
> On Wed, Jul 17, 2019 at 6:40 PM Brecht Van Lommel
> <brechtvanlommel at gmail.com> wrote:
> >
> > Hey all,
> >
> > We're planning to do the ahoy for the release candidate 2 tomorrow
> > July 18, around 16:00 CEST.
> >
> > That's when all the critical fixes should be in, let me know if
> > there's something that's not going to make it in time.
> >
> > Thanks,
> > Brecht.
> >
> > On Thu, Jul 11, 2019 at 7:37 PM Brecht Van Lommel
> > <brechtvanlommel at gmail.com> wrote:
> > >
> > > Hey everyone,
> > >
> > > We had some additional issues to solve. The release candidate builds
> > > are ready now, but we'll wait until tomorrow (July 12) to make them
> > > available and update blender.org.
> > >
> > > Thanks,
> > > Brecht.
> > >
> > > On Wed, Jul 10, 2019 at 5:22 PM Brecht Van Lommel
> > > <brechtvanlommel at gmail.com> wrote:
> > > >
> > > > Hi everyone,
> > > >
> > > > We have entered the 2.80 release candidate phase now. That means
> > > > master will be mostly frozen, only important bugfixes should go in.
> > > > Please ensure commits are reviewed by another developer, and don't
> > > > make risky changes.
> > > >
> > > > Sergey will do the branching & tagging, after which platform
> > > > maintainers can make the release candidate builds. If all goes well
> > > > these builds go up on blender.org tomorrow, July 11.
> > > >
> > > > The final release is then planned for July 18, depending if any
> > > > critical issues come up that require more time. After this master
> will
> > > > be open for the 2.81 release cycle.
> > > >
> > > > Thanks,
> > > > Brecht.
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> https://lists.blender.org/mailman/listinfo/bf-committers
>


More information about the Bf-committers mailing list