Hi, Huh, well that worked out well:
https://twitter.com/TheHackersNews/status/1153694205358645249?s=09 Dan On Fri, Jul 19, 2019, 11:58 AM Brecht Van Lommel, <[email protected]> wrote: > And to be even more clear, the public Blender ftp incoming/ folder is > a place for people to exchange files. We don't link to it from > blender.org for users to download files from. > > That said we should indeed disable it, there is no good reason to > justify having it at all. > > > On Fri, Jul 19, 2019 at 5:04 PM Brecht Van Lommel > <[email protected]> wrote: > > > > To be clear, there is no virus in the Blender release folder. The > > checksums for the release builds match what the was reported by those > > who made the releases. > > > > What happened is that someone put something on the public Blender ftp > > folder, but it never affected the actual release. > > > > On Fri, Jul 19, 2019 at 4:37 PM Dan McGrath <[email protected]> > wrote: > > > > > > Hi, > > > > > > It would appear that a windows virus "info.zip: > > > Win.Trojan.Coinminer-6622864-0 FOUND" was uploaded to another file in > this > > > directory at the same time that you uploaded the windows RC. > > > > > > I reported the issue in blender.chat, where some discussion was held > by at > > > least some of the devs, but I would like to bring the matter to your > > > attention here, as well. With release around the corner, and our > binaries > > > being a valuable target, that clearly was timed to happen during this > > > upload, I would advise that you at least verify the checksums of the > file > > > that you uploaded, and that we immediately stop using a world writable > FTP > > > for our release. > > > > > > My recommendation is to immediately disable and remove FTP from our > server, > > > and find alternative and secure means for the developers to share > files. > > > The idea of sftp/scp only accounts on download.blender.org would even > be an > > > improvement. In the long term, even this should be frowned upon > though, as > > > a compromise of our web server (which should be considered to be > untrusted, > > > and in a DMZ), would be a disaster on its own, but less so if we could > at > > > least verify the integrity of the files (Mac/Win at least can be > signed). > > > > > > I would also strong advise that one of the developers create a GPG key > that > > > is stored safely ofline, which can be used to officially sign the > MD5/SHA > > > checksum files, and go through and retroactively sign and checksum our > > > entire archive as a precaution. This would also allow our users to > verify > > > our downloads via mirror, as right now there is absolutely no way for > > > people to verify the integrity of non signed files that are acquired > over > > > non secure (HTTPS) means directly from us, let alone files that have > been > > > altered from an infection. > > > > > > > > > Cheers, > > > > > > Dan > > > > > > On Fri, Jul 19, 2019 at 10:06 AM Brecht Van Lommel < > > > [email protected]> wrote: > > > > > > > Hey all, > > > > > > > > Release candidate 2 is now available for download on blender.org. > > > > > > > > Last week a lot of fixes were done still. From this point on we will > > > > only move over critical fixes to the release branch, it helps to > > > > mention in the commit log if you want this to happen. > > > > > > > > Thanks, > > > > Brecht. > > > > > > > > On Wed, Jul 17, 2019 at 6:40 PM Brecht Van Lommel > > > > <[email protected]> wrote: > > > > > > > > > > Hey all, > > > > > > > > > > We're planning to do the ahoy for the release candidate 2 tomorrow > > > > > July 18, around 16:00 CEST. > > > > > > > > > > That's when all the critical fixes should be in, let me know if > > > > > there's something that's not going to make it in time. > > > > > > > > > > Thanks, > > > > > Brecht. > > > > > > > > > > On Thu, Jul 11, 2019 at 7:37 PM Brecht Van Lommel > > > > > <[email protected]> wrote: > > > > > > > > > > > > Hey everyone, > > > > > > > > > > > > We had some additional issues to solve. The release candidate > builds > > > > > > are ready now, but we'll wait until tomorrow (July 12) to make > them > > > > > > available and update blender.org. > > > > > > > > > > > > Thanks, > > > > > > Brecht. > > > > > > > > > > > > On Wed, Jul 10, 2019 at 5:22 PM Brecht Van Lommel > > > > > > <[email protected]> wrote: > > > > > > > > > > > > > > Hi everyone, > > > > > > > > > > > > > > We have entered the 2.80 release candidate phase now. That > means > > > > > > > master will be mostly frozen, only important bugfixes should > go in. > > > > > > > Please ensure commits are reviewed by another developer, and > don't > > > > > > > make risky changes. > > > > > > > > > > > > > > Sergey will do the branching & tagging, after which platform > > > > > > > maintainers can make the release candidate builds. If all goes > well > > > > > > > these builds go up on blender.org tomorrow, July 11. > > > > > > > > > > > > > > The final release is then planned for July 18, depending if any > > > > > > > critical issues come up that require more time. After this > master > > > > will > > > > > > > be open for the 2.81 release cycle. > > > > > > > > > > > > > > Thanks, > > > > > > > Brecht. > > > > _______________________________________________ > > > > Bf-committers mailing list > > > > [email protected] > > > > https://lists.blender.org/mailman/listinfo/bf-committers > > > > > > > _______________________________________________ > > > Bf-committers mailing list > > > [email protected] > > > https://lists.blender.org/mailman/listinfo/bf-committers > _______________________________________________ > Bf-committers mailing list > [email protected] > https://lists.blender.org/mailman/listinfo/bf-committers > _______________________________________________ Bf-committers mailing list [email protected] https://lists.blender.org/mailman/listinfo/bf-committers
