My 1st download of the liveDVD gave me a warning on firefox telling me it might contain a virus or malware. I then checked the file: sha512sum /home/tchiwam/Downloads/livedvd-amd64-multilib-20160704.iso cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e Downloads/livedvd-amd64-multilib-20160704.iso I used wget and got the good sha512 as Expected : sha512sum /home/tchiwam/Downloads/livedvd-amd64-multilib-20160704.iso 88fa7f2f700fac8caae2691b7797f80f5c47813f4b63b75cdeca6b7dcc8223c24b1e1a9ae7b57e4d86109716c2c638f5b9998ed385bb9f2528ef34bf02c8b115 Downloads/livedvd-amd64-multilib-20160704.iso Sadly I cannot find in my history the link used to download the faulty one. I expect that you may simply close this bug really fast as impossible to verify depending on how many mirrors you have for http://bouncer.gentoo.org/fetch/gentoo-20160704-livedvd/amd64/ Reproducible: Couldn't Reproduce Actual Results: wrong sha512 Expected Results: proper sha512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e Is the SHA512 for an empty file. I'm going to pull from all of the mirrors to verify the content.
Thank you, Ok now I feel dumb. And I may explain why, the virus warning from Firefox never renamed the .iso.part to .iso
Do you still have that .iso.part file? - What size is it? - Does it have extended attributes that recorded where it was downloaded from? - What does the 'file' tool say about it?
The file is gone, a 2nd try went over it, I initially thought it was just another failed download. But it failed again in firefox and the message was a normal failed and allow to restart. I then went to wget as I need to get this new machine installed. The size of the file was close enough to fool me and it was marked as complete in Firefox. I am very sorry that I did not keep it for further analysis.
All [1] of the bouncer mirror endpoints (19 of them) return the correct file, or at least the first part of it [2] [1] Specific value of all: some mirrors are externally managed CDNs, and I can't test every CDN point of presence. [2] I did detect the Evowise CDN doing an early truncation of the file in some cases. But that first part was correct. I mocked the headers to look like Firefox, in case the service served a different result to Wget/curl clients. This leaves a few possibilities: - You were browsing the page, and the actual link you had clicked for the download didn't really go to bouncer.gentoo.org, but to a malicious site instead. This could be due to browser plugins, malicious local adversary (page injection), or a couple of other attacks that are hard to detect. That you go the virus or malware warning tells us a possible things: - the actual URL was on the safebrowsing blacklist - it wanted to confirm the item was safe anyway due to mime type or file headers.
@philippe: one more question, where did you get the http://bouncer link? we've tried to replace all of them with https://
@ Philippe: With some luck you don't have cleaned history yet. Please run > $ sqlite3 places.sqlite "SELECT * FROM moz_places WHERE url LIKE '%20160704%' OR title LIKE '%20160704%'" against your places.sqlite file (you said you used Firefox).
sqlite3 places.sqlite "SELECT * FROM moz_places WHERE url LIKE '%20160704%' OR title LIKE '%20160704%'" 12981|http://bouncer.gentoo.org/fetch/gentoo-20160704-livedvd/amd64/||gro.ootneg.recnuob.|4|1|0||82|1546637164952880|_H61R-w8q8Og|0|125510643763481|| 12982|https://mirrors.kernel.org/gentoo//releases/amd64/20160704/|Index of /gentoo/releases/amd64/20160704/|gro.lenrek.srorrim.|2|0|1||1673|1546637299422904|KtWhkUo-OYEw|0|47359216456011|| 12990|https://mirror.bytemark.co.uk/gentoo//releases/amd64/20160704/|Bytemark Hosting - Mirror|ku.oc.krametyb.rorrim.|1|0|0||82|1546636745205350|wq50rj9LaNHt|0|47358582965228|| 12991|https://mirror.bytemark.co.uk/gentoo//releases/amd64/20160704/livedvd-amd64-multilib-20160704.iso.DIGESTS|livedvd-amd64-multilib-20160704.iso.DIGESTS|ku.oc.krametyb.rorrim.|0|0|0||0|1546636790614000|wpj9xuhEs1iZ|0|47359109875240|| 12995|https://mirrors.evowise.com/gentoo//releases/amd64/20160704/|Index of /gentoo/releases/amd64/20160704/|moc.esiwove.srorrim.|1|0|0||82|1546637086552943|xEFelDVOT4tF|0|47356974890164|| 12997|http://ftp.snt.utwente.nl/pub/os/linux/gentoo/releases/amd64/20160704/|Studenten Net Twente - Index of /pub/os/linux/gentoo/releases/amd64/20160704/|ln.etnewtu.tns.ptf.|1|0|0||82|1546637165251434|8tYKcCemFidh|0|125507903475623|| 12998|http://ftp.snt.utwente.nl/pub/os/linux/gentoo/releases/amd64/20160704/livedvd-amd64-multilib-20160704.iso|livedvd-amd64-multilib-20160704.iso|ln.etnewtu.tns.ptf.|0|0|0||0|1546637168638247|nTyMLhNInWmg|0|125510156639855|| 12999|https://mirrors.kernel.org/gentoo//releases/amd64/20160704/livedvd-amd64-multilib-20160704.iso.DIGESTS.asc||gro.lenrek.srorrim.|1|0|0||82|1546637313620887|SnrH7Xh_kPrP|0|47356321227240|| This is the dump, thank you for the command, very useful, sorry for the delay.
Created attachment 560956 [details] mirror_kernel_org-blocked-safebrowsing_201901141800.jpg Thank you, this helped us finding the flagged mirror: https://mirrors.kernel.org/gentoo//releases/amd64/20160704/
https://transparencyreport.google.com/safe-browsing/search?url=https:%2F%2Fmirrors.kernel.org%2Fgentoo%2F%2Freleases%2Famd64%2F20160704%2F&hl=en-US
The flagged mirror is no longer flagged by Google, marking resolved.