My 1st download of the liveDVD gave me a warning on firefox telling me it might contain a virus or malware.
I then checked the file:
I used wget and got the good sha512 as Expected :
Sadly I cannot find in my history the link used to download the faulty one.
I expect that you may simply close this bug really fast as impossible to verify depending on how many mirrors you have for http://bouncer.gentoo.org/fetch/gentoo-20160704-livedvd/amd64/
Reproducible: Couldn't Reproduce
Is the SHA512 for an empty file.
I'm going to pull from all of the mirrors to verify the content.
Thank you, Ok now I feel dumb. And I may explain why, the virus warning from Firefox never renamed the .iso.part to .iso
Do you still have that .iso.part file?
- What size is it?
- Does it have extended attributes that recorded where it was downloaded from?
- What does the 'file' tool say about it?
The file is gone, a 2nd try went over it, I initially thought it was just another failed download. But it failed again in firefox and the message was a normal failed and allow to restart. I then went to wget as I need to get this new machine installed.
The size of the file was close enough to fool me and it was marked as complete in Firefox.
I am very sorry that I did not keep it for further analysis.
All  of the bouncer mirror endpoints (19 of them) return the correct file, or at least the first part of it 
 Specific value of all: some mirrors are externally managed CDNs, and I can't test every CDN point of presence.
 I did detect the Evowise CDN doing an early truncation of the file in some cases. But that first part was correct.
I mocked the headers to look like Firefox, in case the service served a different result to Wget/curl clients.
This leaves a few possibilities:
- You were browsing the page, and the actual link you had clicked for the download didn't really go to bouncer.gentoo.org, but to a malicious site instead. This could be due to browser plugins, malicious local adversary (page injection), or a couple of other attacks that are hard to detect.
That you go the virus or malware warning tells us a possible things:
- the actual URL was on the safebrowsing blacklist
- it wanted to confirm the item was safe anyway due to mime type or file headers.
one more question, where did you get the http://bouncer link?
we've tried to replace all of them with https://
@ Philippe: With some luck you don't have cleaned history yet. Please run
> $ sqlite3 places.sqlite "SELECT * FROM moz_places WHERE url LIKE '%20160704%' OR title LIKE '%20160704%'"
against your places.sqlite file (you said you used Firefox).
sqlite3 places.sqlite "SELECT * FROM moz_places WHERE url LIKE '%20160704%' OR title LIKE '%20160704%'"
12982|https://mirrors.kernel.org/gentoo//releases/amd64/20160704/|Index of /gentoo/releases/amd64/20160704/|gro.lenrek.srorrim.|2|0|1||1673|1546637299422904|KtWhkUo-OYEw|0|47359216456011||
12990|https://mirror.bytemark.co.uk/gentoo//releases/amd64/20160704/|Bytemark Hosting - Mirror|ku.oc.krametyb.rorrim.|1|0|0||82|1546636745205350|wq50rj9LaNHt|0|47358582965228||
12995|https://mirrors.evowise.com/gentoo//releases/amd64/20160704/|Index of /gentoo/releases/amd64/20160704/|moc.esiwove.srorrim.|1|0|0||82|1546637086552943|xEFelDVOT4tF|0|47356974890164||
12997|http://ftp.snt.utwente.nl/pub/os/linux/gentoo/releases/amd64/20160704/|Studenten Net Twente - Index of /pub/os/linux/gentoo/releases/amd64/20160704/|ln.etnewtu.tns.ptf.|1|0|0||82|1546637165251434|8tYKcCemFidh|0|125507903475623||
This is the dump, thank you for the command, very useful, sorry for the delay.
Created attachment 560956 [details]
Thank you, this helped us finding the flagged mirror: https://mirrors.kernel.org/gentoo//releases/amd64/20160704/