[MacPorts] #52146: transmission @2.92_0: switch to GitHub (was: transmission: change port file to new download location)

Wed Aug 31 17:15:39 PDT 2016

#52146: transmission @2.92_0: switch to GitHub
---------------------------+---------------------------
  Reporter:  sierkb@…      |      Owner:  khindenburg@…
      Type:  defect        |     Status:  new
  Priority:  Normal        |  Milestone:
 Component:  ports         |    Version:
Resolution:                |   Keywords:
      Port:  transmission  |
---------------------------+---------------------------
Changes (by larryv@…):

 * cc: khindenburg (removed)
 * owner:  macports-tickets@… => khindenburg@…
 * version:  2.3.4 =>
 * keywords:  update dowload location =>
 * type:  update => defect

Old description:

> __Quote from [https://transmissionbt.com/keydnap_qa/]:__
>
> ----
> '''Q. What happened?'''
>
> A. It appears that on or about August 28, 2016, unauthorized access was
> gained to our website
> server. The official Mac version of Transmission 2.92 was replaced with
> an unauthorized version that contained the OSX/Keydnap malware. The
> infected file was available for download somewhere between a few hours
> and less than a day. Additional information about the malware is
> available [http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-
> via-signed-transmission-application/ here] and
> [http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-
> credentials/ here].
>
> '''Q. What steps have been taken following the incident?'''
>
> A. The infected file was removed from the server immediately upon
> discovering its existence, which was less than 24 hours after the file
> was posted to the website. To help prevent future incidents, we have
> migrated the website and all binary files from our current servers to
> [https://github.com/transmission GitHub]. Other services, which are
> currently unavailable, will be migrated to new servers in the coming
> days. As an added precaution, we will be hosting the binaries and the
> website (including checksums) in two separate repositories.
>
> '''Q. Am I at risk?'''
>
> A. The infected file was available for download from our website for less
> than a day, and the file was not available through the auto-update
> mechanism. Steps to check for, and remove, an infection are available
> [http://transmissionbt.com/keydnap_removal/ here].
>
> '''Q. Can you share any more information about this incident?'''
>
> A. We are in the process of investigating the incident and will share any
> relevant information that we discover here.
>
> '''If you have any questions or information about the incident, please
> send an email to security at transmissionbt.com.'''
> ----
>
> Please change transmission's port file and its master_sites accordingly
> to at least the new project's official mirror server on GitHub
> [https://github.com/transmission/transmission],
> [https://github.com/transmission/transmission/releases] or to the
> announced upcoming new location or both of them. Additionally: the port
> file's current 2 master_sites locations seem to be unavailable/switched
> off.

New description:

 Quote from [https://transmissionbt.com/keydnap_qa/]:

 ----
   Q: What happened?::
     A: It appears that on or about August 28, 2016, unauthorized access
 was gained to our website server. The official Mac version of Transmission
 2.92 was replaced with an unauthorized version that contained the
 OSX/Keydnap malware. The infected file was available for download
 somewhere between a few hours and less than a day. Additional information
 about the malware is available [http://www.welivesecurity.com/2016/08/30
 /osxkeydnap-spreads-via-signed-transmission-application/ here] and
 [http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-
 credentials/ here].
   Q: What steps have been taken following the incident?::
     A: The infected file was removed from the server immediately upon
 discovering its existence, which was less than 24 hours after the file was
 posted to the website. To help prevent future incidents, we have migrated
 the website and all binary files from our current servers to
 [https://github.com/transmission GitHub]. Other services, which are
 currently unavailable, will be migrated to new servers in the coming days.
 As an added precaution, we will be hosting the binaries and the website
 (including checksums) in two separate repositories.
   Q: Am I at risk?::
     A: The infected file was available for download from our website for
 less than a day, and the file was not available through the auto-update
 mechanism. Steps to check for, and remove, an infection are available
 [http://transmissionbt.com/keydnap_removal/ here].
   Q: Can you share any more information about this incident?::
     A: We are in the process of investigating the incident and will share
 any relevant information that we discover here.

 '''If you have any questions or information about the incident, please
 send an email to security at transmissionbt.com.'''
 ----

 Please change transmission's port file and its master_sites accordingly to
 at least the new project's official mirror server on GitHub
 [https://github.com/transmission/transmission],
 [https://github.com/transmission/transmission/releases] or to the
 announced upcoming new location or both of them. Additionally: the port
 file's current 2 master_sites locations seem to be unavailable/switched
 off.

--

Comment:

 Trac requires full email addresses.

-- 
Ticket URL: <https://trac.macports.org/ticket/52146#comment:1>
MacPorts <https://www.macports.org/>
Ports system for OS X