[CentOS-mirror] Incorrect selinux packages were pushed via mirrors

Mon May 13 14:03:35 UTC 2013
Johnny Hughes <johnny at centos.org>

On 05/13/2013 08:58 AM, Manuel Wolfshant wrote:
> On 05/13/2013 04:47 PM, Manuel Wolfshant wrote:
>> Hello
>>     We just found out via #centos that the file
>> ftp://ftp.availo.se/centos/6.4/updates/x86_64/Packages/selinux-policy-3.7.19-195.el6_4.3.noarch.rpm
>> is not signed and has incorrect dates and md5sum compared to the
>> "known good" package.
>>     I suggest to remove( disable ) the mirror from the list of
>> mirrors and if someone has more specific contact info for the admins
>> ( only addresses I found were those existing at http://www.availo.se
>> ) to let them know that there is an issue.
>>     Regards
>>         manuel
> Hello
>     Apparently more mirrors have the incorrect ( unsigned ) selinux
> packages. So far within 5' we found at least 3 different mirrors from
> Europe and USA which carry them. All of the unsigned packages seem to
> have been built on 03/10/2013 but released on 05/10/2013 and contain
> the same files as the signed packages so..could it be that unsigned
> packages leaked from the build host and where inadvertently pushed to
> the mirrors ?
>     manuel

I found the mistake, it is an error on the master mirror ... I'll post
when it is fixed, which should be in about an hour.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-mirror/attachments/20130513/0e9fda8b/attachment-0003.sig>