Hi, It would appear that a windows virus "info.zip: Win.Trojan.Coinminer-6622864-0 FOUND" was uploaded to another file in this directory at the same time that you uploaded the windows RC.
I reported the issue in blender.chat, where some discussion was held by at least some of the devs, but I would like to bring the matter to your attention here, as well. With release around the corner, and our binaries being a valuable target, that clearly was timed to happen during this upload, I would advise that you at least verify the checksums of the file that you uploaded, and that we immediately stop using a world writable FTP for our release. My recommendation is to immediately disable and remove FTP from our server, and find alternative and secure means for the developers to share files. The idea of sftp/scp only accounts on download.blender.org would even be an improvement. In the long term, even this should be frowned upon though, as a compromise of our web server (which should be considered to be untrusted, and in a DMZ), would be a disaster on its own, but less so if we could at least verify the integrity of the files (Mac/Win at least can be signed). I would also strong advise that one of the developers create a GPG key that is stored safely ofline, which can be used to officially sign the MD5/SHA checksum files, and go through and retroactively sign and checksum our entire archive as a precaution. This would also allow our users to verify our downloads via mirror, as right now there is absolutely no way for people to verify the integrity of non signed files that are acquired over non secure (HTTPS) means directly from us, let alone files that have been altered from an infection. Cheers, Dan On Fri, Jul 19, 2019 at 10:06 AM Brecht Van Lommel < brechtvanlom...@gmail.com> wrote: > Hey all, > > Release candidate 2 is now available for download on blender.org. > > Last week a lot of fixes were done still. From this point on we will > only move over critical fixes to the release branch, it helps to > mention in the commit log if you want this to happen. > > Thanks, > Brecht. > > On Wed, Jul 17, 2019 at 6:40 PM Brecht Van Lommel > <brechtvanlom...@gmail.com> wrote: > > > > Hey all, > > > > We're planning to do the ahoy for the release candidate 2 tomorrow > > July 18, around 16:00 CEST. > > > > That's when all the critical fixes should be in, let me know if > > there's something that's not going to make it in time. > > > > Thanks, > > Brecht. > > > > On Thu, Jul 11, 2019 at 7:37 PM Brecht Van Lommel > > <brechtvanlom...@gmail.com> wrote: > > > > > > Hey everyone, > > > > > > We had some additional issues to solve. The release candidate builds > > > are ready now, but we'll wait until tomorrow (July 12) to make them > > > available and update blender.org. > > > > > > Thanks, > > > Brecht. > > > > > > On Wed, Jul 10, 2019 at 5:22 PM Brecht Van Lommel > > > <brechtvanlom...@gmail.com> wrote: > > > > > > > > Hi everyone, > > > > > > > > We have entered the 2.80 release candidate phase now. That means > > > > master will be mostly frozen, only important bugfixes should go in. > > > > Please ensure commits are reviewed by another developer, and don't > > > > make risky changes. > > > > > > > > Sergey will do the branching & tagging, after which platform > > > > maintainers can make the release candidate builds. If all goes well > > > > these builds go up on blender.org tomorrow, July 11. > > > > > > > > The final release is then planned for July 18, depending if any > > > > critical issues come up that require more time. After this master > will > > > > be open for the 2.81 release cycle. > > > > > > > > Thanks, > > > > Brecht. > _______________________________________________ > Bf-committers mailing list > Bf-committers@blender.org > https://lists.blender.org/mailman/listinfo/bf-committers > _______________________________________________ Bf-committers mailing list Bf-committers@blender.org https://lists.blender.org/mailman/listinfo/bf-committers