[Bf-committers] Blender 2.80 Release Candidate - master frozen

Dan McGrath danmcgrath.ca at gmail.com
Tue Jul 23 19:13:33 CEST 2019 

Hi,

Huh, well that worked out well:

https://twitter.com/TheHackersNews/status/1153694205358645249?s=09


Dan

On Fri, Jul 19, 2019, 11:58 AM Brecht Van Lommel, <brechtvanlommel at gmail.com>
wrote:

> And to be even more clear, the public Blender ftp incoming/ folder is
> a place for people to exchange files. We don't link to it from
> blender.org for users to download files from.
>
> That said we should indeed disable it, there is no good reason to
> justify having it at all.
>
>
> On Fri, Jul 19, 2019 at 5:04 PM Brecht Van Lommel
> <brechtvanlommel at gmail.com> wrote:
> >
> > To be clear, there is no virus in the Blender release folder. The
> > checksums for the release builds match what the was reported by those
> > who made the releases.
> >
> > What happened is that someone put something on the public Blender ftp
> > folder, but it never affected the actual release.
> >
> > On Fri, Jul 19, 2019 at 4:37 PM Dan McGrath <danmcgrath.ca at gmail.com>
> wrote:
> > >
> > > Hi,
> > >
> > > It would appear that a windows virus "info.zip:
> > > Win.Trojan.Coinminer-6622864-0 FOUND" was uploaded to another file in
> this
> > > directory at the same time that you uploaded the windows RC.
> > >
> > > I reported the issue in blender.chat, where some discussion was held
> by at
> > > least some of the devs, but I would like to bring the matter to your
> > > attention here, as well. With release around the corner, and our
> binaries
> > > being a valuable target, that clearly was timed to happen during this
> > > upload, I would advise that you at least verify the checksums of the
> file
> > > that you uploaded, and that we immediately stop using a world writable
> FTP
> > > for our release.
> > >
> > > My recommendation is to immediately disable and remove FTP from our
> server,
> > > and find alternative and secure means for the developers to share
> files.
> > > The idea of sftp/scp only accounts on download.blender.org would even
> be an
> > > improvement. In the long term, even this should be frowned upon
> though, as
> > > a compromise of our web server (which should be considered to be
> untrusted,
> > > and in a DMZ), would be a disaster on its own, but less so if we could
> at
> > > least verify the integrity of the files (Mac/Win at least can be
> signed).
> > >
> > > I would also strong advise that one of the developers create a GPG key
> that
> > > is stored safely ofline, which can be used to officially sign the
> MD5/SHA
> > > checksum files, and go through and retroactively sign and checksum our
> > > entire archive as a precaution. This would also allow our users to
> verify
> > > our downloads via mirror, as right now there is absolutely no way for
> > > people to verify the integrity of non signed files that are acquired
> over
> > > non secure (HTTPS) means directly from us, let alone files that have
> been
> > > altered from an infection.
> > >
> > >
> > > Cheers,
> > >
> > > Dan
> > >
> > > On Fri, Jul 19, 2019 at 10:06 AM Brecht Van Lommel <
> > > brechtvanlommel at gmail.com> wrote:
> > >
> > > > Hey all,
> > > >
> > > > Release candidate 2 is now available for download on blender.org.
> > > >
> > > > Last week a lot of fixes were done still. From this point on we will
> > > > only move over critical fixes to the release branch, it helps to
> > > > mention in the commit log if you want this to happen.
> > > >
> > > > Thanks,
> > > > Brecht.
> > > >
> > > > On Wed, Jul 17, 2019 at 6:40 PM Brecht Van Lommel
> > > > <brechtvanlommel at gmail.com> wrote:
> > > > >
> > > > > Hey all,
> > > > >
> > > > > We're planning to do the ahoy for the release candidate 2 tomorrow
> > > > > July 18, around 16:00 CEST.
> > > > >
> > > > > That's when all the critical fixes should be in, let me know if
> > > > > there's something that's not going to make it in time.
> > > > >
> > > > > Thanks,
> > > > > Brecht.
> > > > >
> > > > > On Thu, Jul 11, 2019 at 7:37 PM Brecht Van Lommel
> > > > > <brechtvanlommel at gmail.com> wrote:
> > > > > >
> > > > > > Hey everyone,
> > > > > >
> > > > > > We had some additional issues to solve. The release candidate
> builds
> > > > > > are ready now, but we'll wait until tomorrow (July 12) to make
> them
> > > > > > available and update blender.org.
> > > > > >
> > > > > > Thanks,
> > > > > > Brecht.
> > > > > >
> > > > > > On Wed, Jul 10, 2019 at 5:22 PM Brecht Van Lommel
> > > > > > <brechtvanlommel at gmail.com> wrote:
> > > > > > >
> > > > > > > Hi everyone,
> > > > > > >
> > > > > > > We have entered the 2.80 release candidate phase now. That
> means
> > > > > > > master will be mostly frozen, only important bugfixes should
> go in.
> > > > > > > Please ensure commits are reviewed by another developer, and
> don't
> > > > > > > make risky changes.
> > > > > > >
> > > > > > > Sergey will do the branching & tagging, after which platform
> > > > > > > maintainers can make the release candidate builds. If all goes
> well
> > > > > > > these builds go up on blender.org tomorrow, July 11.
> > > > > > >
> > > > > > > The final release is then planned for July 18, depending if any
> > > > > > > critical issues come up that require more time. After this
> master
> > > > will
> > > > > > > be open for the 2.81 release cycle.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Brecht.
> > > > _______________________________________________
> > > > Bf-committers mailing list
> > > > Bf-committers at blender.org
> > > > https://lists.blender.org/mailman/listinfo/bf-committers
> > > >
> > > _______________________________________________
> > > Bf-committers mailing list
> > > Bf-committers at blender.org
> > > https://lists.blender.org/mailman/listinfo/bf-committers
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> https://lists.blender.org/mailman/listinfo/bf-committers
>

More information about the Bf-committers mailing list