Kopano Nightly Builds Offline

What was compromised? is it the kopano packages? or was it the server where the kopano packages where stored?

fbartels

@BEO I cannot give an eta for this at the moment. If you request a trial from https://kopano.com/kopano-trial-download/, then you have access to the final builds (for 30 days).

@ckruijntjens please reread the starting post in this topic

BEO

@fbartels
Well sadly the trial I downloaded is an older version the the nightly installed on my Ubuntu 16.04.
I did not dare to migrate to an old build, since I don’t know possible pitfalls regarding database version.
Plus the trial key annocunced to be sent by mail did not arrive within 5 days now.
Rolled back to my old 16.04, skipped the migration of our home server to one distant day in the future (holidays are over now).

fbartels

@BEO said in Kopano Nightly Builds Offline:

Plus the trial key annocunced to be sent by mail did not arrive within 5 days now

Did you check your spam folder? The key is automatically sent on form submission afaik.

TosoBoso

@fbartels said in Kopano Nightly Builds Offline:

As you may have noticed, we took our nightly/master builds offline. The reason we did this is that the server where these builds are created and stored was compromised. The hack was discovered a few hours after it happened.

Hi Felix yes I noticed mid Aug about nightly builds being offline.
I ussed and still using local repo from 3rd Aug core 8.7.82 for Kompano4s Beta Docker Container. Is it fair to assume it can be used for contigency as this one was apx 1 week before the incident?
If not I would take the K4S Community Beta Docker Image offline.
Regards Volker

fbartels

@TosoBoso said in Kopano Nightly Builds Offline:

from 3rd Aug

the system was compromised on the 12th so everything before that is fine. The only reason why we pulled the master packages is because we do not store hashes externally and therefore cannot say with 100% certainty that they have not been tampered with.

PS: you need to separate the quote from your actual message with a blank line. else you message is shown as quoted as well.

rbrunhuber

@fbartels said in Kopano Nightly Builds Offline:

@BEO said in Kopano Nightly Builds Offline:

Plus the trial key annocunced to be sent by mail did not arrive within 5 days now

Did you check your spam folder? The key is automatically sent on form submission afaik.

I can second that: No email! I checked the mailserver logs and not even a delivery attempt was made.
I tried twice to request a trial key.

bhuisman

@rbrunhuber when did you request the key? Could it be in your spam folder?

rbrunhuber

@bhuisman
I requested one key end of last week and one yesterday around 21:00 CEST.
As I said: No SMTP delivery attempt reached my server from your side, so it’s definitely not in the spam folder. But still I double checked just to be sure.

BEO

@fbartels
Yes, I checked my spam folder. Nothing.
Maybe something more was compromised than just the build server. Someone out there might have tons of license keyes :-)

fbartels

@BEO said in Kopano Nightly Builds Offline:

Maybe something more was compromised than just the build server.

That may be meant as a joke, but this possibility can be excluded. There was no connection to these systems from our Jenkins.

fbartels

Nightly builds are back online at https://download.kopano.io/community/core:/.

I heard from out internal it that they are currently looking into why the trial form does not send the evaluation key.

clews

@fbartels Same here, tried twice to download trial within 3 days with two different mail adresses, no mail in both cases

fbartels

Hi @clews,

I’m sorry to hear that this still does not work. You can also reach out to our sales team at info@kopano.com to request a trial key.