[Bf-committers] Blender 2.80 Release Candidate - master frozen

Brecht Van Lommel brechtvanlommel at gmail.com
Fri Jul 19 17:58:18 CEST 2019


And to be even more clear, the public Blender ftp incoming/ folder is
a place for people to exchange files. We don't link to it from
blender.org for users to download files from.

That said we should indeed disable it, there is no good reason to
justify having it at all.


On Fri, Jul 19, 2019 at 5:04 PM Brecht Van Lommel
<brechtvanlommel at gmail.com> wrote:
>
> To be clear, there is no virus in the Blender release folder. The
> checksums for the release builds match what the was reported by those
> who made the releases.
>
> What happened is that someone put something on the public Blender ftp
> folder, but it never affected the actual release.
>
> On Fri, Jul 19, 2019 at 4:37 PM Dan McGrath <danmcgrath.ca at gmail.com> wrote:
> >
> > Hi,
> >
> > It would appear that a windows virus "info.zip:
> > Win.Trojan.Coinminer-6622864-0 FOUND" was uploaded to another file in this
> > directory at the same time that you uploaded the windows RC.
> >
> > I reported the issue in blender.chat, where some discussion was held by at
> > least some of the devs, but I would like to bring the matter to your
> > attention here, as well. With release around the corner, and our binaries
> > being a valuable target, that clearly was timed to happen during this
> > upload, I would advise that you at least verify the checksums of the file
> > that you uploaded, and that we immediately stop using a world writable FTP
> > for our release.
> >
> > My recommendation is to immediately disable and remove FTP from our server,
> > and find alternative and secure means for the developers to share files.
> > The idea of sftp/scp only accounts on download.blender.org would even be an
> > improvement. In the long term, even this should be frowned upon though, as
> > a compromise of our web server (which should be considered to be untrusted,
> > and in a DMZ), would be a disaster on its own, but less so if we could at
> > least verify the integrity of the files (Mac/Win at least can be signed).
> >
> > I would also strong advise that one of the developers create a GPG key that
> > is stored safely ofline, which can be used to officially sign the MD5/SHA
> > checksum files, and go through and retroactively sign and checksum our
> > entire archive as a precaution. This would also allow our users to verify
> > our downloads via mirror, as right now there is absolutely no way for
> > people to verify the integrity of non signed files that are acquired over
> > non secure (HTTPS) means directly from us, let alone files that have been
> > altered from an infection.
> >
> >
> > Cheers,
> >
> > Dan
> >
> > On Fri, Jul 19, 2019 at 10:06 AM Brecht Van Lommel <
> > brechtvanlommel at gmail.com> wrote:
> >
> > > Hey all,
> > >
> > > Release candidate 2 is now available for download on blender.org.
> > >
> > > Last week a lot of fixes were done still. From this point on we will
> > > only move over critical fixes to the release branch, it helps to
> > > mention in the commit log if you want this to happen.
> > >
> > > Thanks,
> > > Brecht.
> > >
> > > On Wed, Jul 17, 2019 at 6:40 PM Brecht Van Lommel
> > > <brechtvanlommel at gmail.com> wrote:
> > > >
> > > > Hey all,
> > > >
> > > > We're planning to do the ahoy for the release candidate 2 tomorrow
> > > > July 18, around 16:00 CEST.
> > > >
> > > > That's when all the critical fixes should be in, let me know if
> > > > there's something that's not going to make it in time.
> > > >
> > > > Thanks,
> > > > Brecht.
> > > >
> > > > On Thu, Jul 11, 2019 at 7:37 PM Brecht Van Lommel
> > > > <brechtvanlommel at gmail.com> wrote:
> > > > >
> > > > > Hey everyone,
> > > > >
> > > > > We had some additional issues to solve. The release candidate builds
> > > > > are ready now, but we'll wait until tomorrow (July 12) to make them
> > > > > available and update blender.org.
> > > > >
> > > > > Thanks,
> > > > > Brecht.
> > > > >
> > > > > On Wed, Jul 10, 2019 at 5:22 PM Brecht Van Lommel
> > > > > <brechtvanlommel at gmail.com> wrote:
> > > > > >
> > > > > > Hi everyone,
> > > > > >
> > > > > > We have entered the 2.80 release candidate phase now. That means
> > > > > > master will be mostly frozen, only important bugfixes should go in.
> > > > > > Please ensure commits are reviewed by another developer, and don't
> > > > > > make risky changes.
> > > > > >
> > > > > > Sergey will do the branching & tagging, after which platform
> > > > > > maintainers can make the release candidate builds. If all goes well
> > > > > > these builds go up on blender.org tomorrow, July 11.
> > > > > >
> > > > > > The final release is then planned for July 18, depending if any
> > > > > > critical issues come up that require more time. After this master
> > > will
> > > > > > be open for the 2.81 release cycle.
> > > > > >
> > > > > > Thanks,
> > > > > > Brecht.
> > > _______________________________________________
> > > Bf-committers mailing list
> > > Bf-committers at blender.org
> > > https://lists.blender.org/mailman/listinfo/bf-committers
> > >
> > _______________________________________________
> > Bf-committers mailing list
> > Bf-committers at blender.org
> > https://lists.blender.org/mailman/listinfo/bf-committers


More information about the Bf-committers mailing list