Customer Advisory UPDATE - FOSSHub Downloads Compromised

Earlier we reported 8/400+ packages on the community repository (https://chocolatey.org/packages) were possibly affected by a FOSSHub hacker. At this time those packages have been unlisted (effectively removed) from the repository pending maintainer action to address adding checksums and finding possibly new download locations. 

Expanding on our checksum requirement (repeated below), we will move with a transition of both more safety by default in choco clients and a requirement of checksums for future approved community packages. You will see it move faster with updates to the choco client not allowing installs without checksums, as packages on the community repository will hit the requirement as they provide updates.


Checksum Requirement on Roadmap for Community Packages

Expanding on our checksum requirement (noted in the earlier email, repeated below), we will move with a transition of both more safety by default in choco clients and a requirement of checksums for future approved community packages. You will see it move faster with updates to the choco client not allowing installs without checksums, as packages on the community repository will hit the requirement as they provide updates.
 
We have been moving towards requiring checksums on all packages that download binaries, especially packages that use http instead of https for downloads. This event may move up the timeline on that requirement. We will move choco clients to a default of not installing any package that doesn't include a checksum if it comes from a remote source, but provide configurable overrides (for those that need the functionality).
Copyright © 2016 RealDimensions Software, LLC, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list