yes, you're missing something, "1st message on devuan mirror files" is more accurate.

Understood thanks.

PS. You are needlessly offended.
From my own experience, I accept the skepticism of my colleagues. I stopped checking my home desktop with all sorts of сheckroot, etc. because over the years I have never seen any suspicious programs. As I understand it, home users have little interest in hackers, and if something gets into the distribution, there are more qualified people who will make a fuss.
 
Devuan is more of a distribution for enthusiasts than for cooperative or business use, security requirements and the risk of hacking are probably lower.
But that's just my opinion.

Regards.

not sure, what i expected in the 1st place, from a nazi friendly environment

Wait... What?

If I can gauge the political talks on here over the years, I would say there's a lot more clamoring support for Antifa/BLM, mask and vaccine mandates, and anti-capitalism/pro-socialism. In fact, it's very common to refer to a user as "they/them", which means the individual probably believes in the "gender" fallacy. If these folks are "Nazis" to you, then I'm your worst nightmare.

Anyway, you are not helping your situation by getting defensive here. Others have tried to explain to you that everything you've described is fairly normal and not any evidence for concern. You're also not doing it right by using ClamAV, which is for finding Windows viruses (not so much GNU/Linux or even another Unix/Unix-like OS). In all reality, if you are that paranoid about security, you should probably start looking into using OpenBSD, as it is a much smaller attack target compared to GNU/Linux or macOS (and these two are less of a risk compared to Windows).

i read all sorts of BS, like trying to blame me or Clamav or LMD for not being responsible or spending devuan devs precious time, while they are doing their fine job and not need to hear this..
well, that's how communities work. communicate issues, no matter how stupid they might seem to you (...elitists)..
so someone(...) who checked this, is going to communicate this false positive to another foss (clamav) to help make it better, and not just whine about it in whatever forums.

---
anyway, some moderator, please lock this thread...
not solved imho, got no help/assurances from pkgmaster admin, so lock it up anyway.
tired of all the spam and bs on this thread.

Ideally if you had a rsync of a mirror locally you could update systems through a lan connection much more securely without having to go through internet hoops.

to clear something : this is not a local mirror, it's a mirror in Devuan RR, rsynced directly from pkgmaster - which changed ip once again recently without any official notification...
mirror is used daily by many people.

Is LMD still alerting on those package digest files? I downloaded those files today, and then installed clamav and LMD. I ran maldet manually and had it analyze those files. It didn't find anything.

did you install clamav-unofficial-sigs as well? that's what's giving the false positive. not default clamav signatures. and that's why virustotal doesn't report it either (they don't use unofficial sigs).

in my case, i put those files on ignore list, after examining them. don't know if lmd would report those again.

Why is it needed if after years of use this is its first message and it’s false? Or am I missing something?

yes, you're missing something, "1st message on devuan mirror files" is more accurate.

that tool (clamav really) was running for years scanning all server files. this is the 1st time i got notifications and though i immediately thought of it as false positives, i guessed it'd be better to get official confirmation...
and not all "digests" give false positives notifications.

In retrospect, I think it would have been better to contact the developer of LMD and ask him or her why LMD thinks that there is malicious PHP code in those files. That way, you would have a better chance of receiving an answer, and from the person most qualified to answer the question. And you would more than likely give the developer an opportunity to improve his software. It appears that someone else may have done that since the problem now seems to be gone (according to my testing).

APT already has release signing and package checksums, specifically to combat MitM attacks. If you want in-transit encryption as well, use an HTTPS mirror, that's what they're for.
If you're extra paranoid you can always verify packages certificates and signing keys manually, but unless you're inside a network that blocks normal access to the repository mirrors or have a pressing need to hide the fact that you are running Devuan, using TOR is just stupid.

Seriously, the amount of ridiculous tinfoil-hat "security" misadvice floating about these days is just tiring. Stop already.

I'd be careful with some git repos or even possible for spoofing to MitM attack package distribution.

Some Debian derivatives (e.g., Kicksecure) run apt through Tor to help prevent such attacks. It seems like a good idea, but I imagine that some people will find that it is painfully slow, especially if they are accustomed to very fast internet access. A good VPN would almost certainly be faster.

Ideally if you had a rsync of a mirror locally you could update systems through a lan connection much more securely without having to go through internet hoops.

that tool (clamav really) was running for years scanning all server files. this is the 1st time i got notifications and though i immediately thought of it as false positives, i guessed it'd be better to get official confirmation...
and not all "digests" give false positives notifications.

Why is it needed if after years of use this is its first message and it’s false? Or am I missing something?

Regards.

The paths

/path/to/mirror/devuan/merged/dists/chimaera-backports/main/by-hash/SHA256/e8b658bc0b30120109470ac5b20c8be088f56b9024a49285c76d41d8694e2ce2

et al are all compressed Packages files, i.e. so called "digests", and evidently that "tool" can't handle them.

that tool (clamav really) was running for years scanning all server files. this is the 1st time i got notifications and though i immediately thought of it as false positives, i guessed it'd be better to get official confirmation...
and not all "digests" give false positives notifications.

i mean, php is not great but calling it malware isn't a bit too much?

where did you read that php is malware? maybe in another post, there was no such reference here. (?)

If you haven't done so already, try the mailing list:

https://mailinglists.dyne.org/cgi-bin/m … stinfo/dng

dng is just a users general list, and toxic. unsubscribed years ago.
but there was another list for mirror operators. not currently working for reasons unknown.