Existing tags being modified on 2026-04-01
Bjørn Mork
bjorn at mork.no
Thu Apr 2 09:18:29 UTC 2026
Stuff like this worries me with all the supply chain attacks going
around. We are still expecting lots of fallout from the Trivy
compromise. There's no reason to believe the LiteLLM was the only one.
bjorn at canardo:/usr/local/src/git/freeradius$ git fetch --all --tags --prune
Fetching origin
remote: Enumerating objects: 265, done.
remote: Counting objects: 100% (137/137), done.
remote: Compressing objects: 100% (18/18), done.
remote: Total 265 (delta 119), reused 137 (delta 119), pack-reused 128 (from 3)
Receiving objects: 100% (265/265), 92.91 KiB | 2.02 MiB/s, done.
Resolving deltas: 100% (129/129), completed with 14 local objects.
>From https://github.com/FreeRADIUS/freeradius-server
0e6dc8c2bde7..fa8ca050f3d7 v3.2.x -> origin/v3.2.x
! [rejected] branch_3_1_x -> branch_3_1_x (would clobber existing tag)
! [rejected] branch_4_0_0 -> branch_4_0_0 (would clobber existing tag)
! [rejected] first-build -> first-build (would clobber existing tag)
! [rejected] release_0_1_0 -> release_0_1_0 (would clobber existing tag)
! [rejected] release_0_2_0 -> release_0_2_0 (would clobber existing tag)
! [rejected] release_0_3_0 -> release_0_3_0 (would clobber existing tag)
! [rejected] release_0_4_0 -> release_0_4_0 (would clobber existing tag)
! [rejected] release_0_5_0 -> release_0_5_0 (would clobber existing tag)
! [rejected] release_0_6_0 -> release_0_6_0 (would clobber existing tag)
! [rejected] release_0_7_0 -> release_0_7_0 (would clobber existing tag)
! [rejected] release_0_7_1 -> release_0_7_1 (would clobber existing tag)
! [rejected] release_0_8_1 -> release_0_8_1 (would clobber existing tag)
! [rejected] release_0_9_0 -> release_0_9_0 (would clobber existing tag)
! [rejected] release_0_9_0_final -> release_0_9_0_final (would clobber existing tag)
! [rejected] release_0_9_0_pre2 -> release_0_9_0_pre2 (would clobber existing tag)
! [rejected] release_0_9_0_pre3 -> release_0_9_0_pre3 (would clobber existing tag)
! [rejected] release_0_9_1 -> release_0_9_1 (would clobber existing tag)
! [rejected] release_0_9_2 -> release_0_9_2 (would clobber existing tag)
! [rejected] release_0_9_3 -> release_0_9_3 (would clobber existing tag)
! [rejected] release_1_0_0 -> release_1_0_0 (would clobber existing tag)
! [rejected] release_1_0_0_pre1 -> release_1_0_0_pre1 (would clobber existing tag)
! [rejected] release_1_0_0_pre2 -> release_1_0_0_pre2 (would clobber existing tag)
! [rejected] release_1_0_0_pre3 -> release_1_0_0_pre3 (would clobber existing tag)
! [rejected] release_1_0_1 -> release_1_0_1 (would clobber existing tag)
! [rejected] release_1_0_2 -> release_1_0_2 (would clobber existing tag)
! [rejected] release_1_0_3 -> release_1_0_3 (would clobber existing tag)
! [rejected] release_1_0_4 -> release_1_0_4 (would clobber existing tag)
! [rejected] release_1_0_5 -> release_1_0_5 (would clobber existing tag)
! [rejected] release_1_1_0 -> release_1_1_0 (would clobber existing tag)
! [rejected] release_1_1_0_pre0 -> release_1_1_0_pre0 (would clobber existing tag)
! [rejected] release_1_1_1 -> release_1_1_1 (would clobber existing tag)
! [rejected] release_1_1_2 -> release_1_1_2 (would clobber existing tag)
! [rejected] release_1_1_3 -> release_1_1_3 (would clobber existing tag)
! [rejected] release_1_1_4 -> release_1_1_4 (would clobber existing tag)
! [rejected] release_1_1_5 -> release_1_1_5 (would clobber existing tag)
! [rejected] release_1_1_6 -> release_1_1_6 (would clobber existing tag)
! [rejected] release_1_1_7 -> release_1_1_7 (would clobber existing tag)
! [rejected] release_1_1_8 -> release_1_1_8 (would clobber existing tag)
! [rejected] release_2_0_0 -> release_2_0_0 (would clobber existing tag)
! [rejected] release_2_0_0_pre1 -> release_2_0_0_pre1 (would clobber existing tag)
! [rejected] release_2_0_0_pre2 -> release_2_0_0_pre2 (would clobber existing tag)
! [rejected] release_2_0_1 -> release_2_0_1 (would clobber existing tag)
! [rejected] release_2_0_2 -> release_2_0_2 (would clobber existing tag)
! [rejected] release_2_0_3 -> release_2_0_3 (would clobber existing tag)
! [rejected] release_2_0_4 -> release_2_0_4 (would clobber existing tag)
! [rejected] release_2_0_5 -> release_2_0_5 (would clobber existing tag)
! [rejected] release_2_1_0 -> release_2_1_0 (would clobber existing tag)
! [rejected] release_2_1_1 -> release_2_1_1 (would clobber existing tag)
! [rejected] release_2_1_10 -> release_2_1_10 (would clobber existing tag)
! [rejected] release_2_1_11 -> release_2_1_11 (would clobber existing tag)
! [rejected] release_2_1_12 -> release_2_1_12 (would clobber existing tag)
! [rejected] release_2_1_2 -> release_2_1_2 (would clobber existing tag)
! [rejected] release_2_1_3 -> release_2_1_3 (would clobber existing tag)
! [rejected] release_2_1_4 -> release_2_1_4 (would clobber existing tag)
! [rejected] release_2_1_6 -> release_2_1_6 (would clobber existing tag)
! [rejected] release_2_1_7 -> release_2_1_7 (would clobber existing tag)
! [rejected] release_2_1_8 -> release_2_1_8 (would clobber existing tag)
! [rejected] release_2_1_9 -> release_2_1_9 (would clobber existing tag)
! [rejected] release_2_2_0 -> release_2_2_0 (would clobber existing tag)
! [rejected] release_2_2_1 -> release_2_2_1 (would clobber existing tag)
! [rejected] release_2_2_10 -> release_2_2_10 (would clobber existing tag)
! [rejected] release_2_2_2 -> release_2_2_2 (would clobber existing tag)
! [rejected] release_2_2_3 -> release_2_2_3 (would clobber existing tag)
! [rejected] release_2_2_4 -> release_2_2_4 (would clobber existing tag)
! [rejected] release_2_2_5 -> release_2_2_5 (would clobber existing tag)
! [rejected] release_2_2_6 -> release_2_2_6 (would clobber existing tag)
! [rejected] release_2_2_7 -> release_2_2_7 (would clobber existing tag)
! [rejected] release_2_2_8 -> release_2_2_8 (would clobber existing tag)
! [rejected] release_2_2_9 -> release_2_2_9 (would clobber existing tag)
! [rejected] release_3.0.8 -> release_3.0.8 (would clobber existing tag)
! [rejected] release_3_0_0 -> release_3_0_0 (would clobber existing tag)
! [rejected] release_3_0_0_beta0 -> release_3_0_0_beta0 (would clobber existing tag)
! [rejected] release_3_0_0_beta1 -> release_3_0_0_beta1 (would clobber existing tag)
! [rejected] release_3_0_0_rc0 -> release_3_0_0_rc0 (would clobber existing tag)
! [rejected] release_3_0_0_rc1 -> release_3_0_0_rc1 (would clobber existing tag)
! [rejected] release_3_0_1 -> release_3_0_1 (would clobber existing tag)
! [rejected] release_3_0_10 -> release_3_0_10 (would clobber existing tag)
! [rejected] release_3_0_11 -> release_3_0_11 (would clobber existing tag)
! [rejected] release_3_0_12 -> release_3_0_12 (would clobber existing tag)
! [rejected] release_3_0_13 -> release_3_0_13 (would clobber existing tag)
! [rejected] release_3_0_14 -> release_3_0_14 (would clobber existing tag)
! [rejected] release_3_0_15 -> release_3_0_15 (would clobber existing tag)
! [rejected] release_3_0_16 -> release_3_0_16 (would clobber existing tag)
! [rejected] release_3_0_17 -> release_3_0_17 (would clobber existing tag)
! [rejected] release_3_0_18 -> release_3_0_18 (would clobber existing tag)
! [rejected] release_3_0_19 -> release_3_0_19 (would clobber existing tag)
! [rejected] release_3_0_2 -> release_3_0_2 (would clobber existing tag)
! [rejected] release_3_0_20 -> release_3_0_20 (would clobber existing tag)
! [rejected] release_3_0_21 -> release_3_0_21 (would clobber existing tag)
! [rejected] release_3_0_22 -> release_3_0_22 (would clobber existing tag)
! [rejected] release_3_0_23 -> release_3_0_23 (would clobber existing tag)
! [rejected] release_3_0_24 -> release_3_0_24 (would clobber existing tag)
! [rejected] release_3_0_25 -> release_3_0_25 (would clobber existing tag)
! [rejected] release_3_0_26 -> release_3_0_26 (would clobber existing tag)
! [rejected] release_3_0_27 -> release_3_0_27 (would clobber existing tag)
! [rejected] release_3_0_3 -> release_3_0_3 (would clobber existing tag)
! [rejected] release_3_0_4 -> release_3_0_4 (would clobber existing tag)
! [rejected] release_3_0_4_rc0 -> release_3_0_4_rc0 (would clobber existing tag)
! [rejected] release_3_0_4_rc1 -> release_3_0_4_rc1 (would clobber existing tag)
! [rejected] release_3_0_4_rc2 -> release_3_0_4_rc2 (would clobber existing tag)
! [rejected] release_3_0_5 -> release_3_0_5 (would clobber existing tag)
! [rejected] release_3_0_6 -> release_3_0_6 (would clobber existing tag)
! [rejected] release_3_0_7 -> release_3_0_7 (would clobber existing tag)
! [rejected] release_3_0_8 -> release_3_0_8 (would clobber existing tag)
! [rejected] release_3_0_9 -> release_3_0_9 (would clobber existing tag)
! [rejected] release_3_2_0 -> release_3_2_0 (would clobber existing tag)
! [rejected] release_3_2_1 -> release_3_2_1 (would clobber existing tag)
! [rejected] release_3_2_2 -> release_3_2_2 (would clobber existing tag)
! [rejected] release_3_2_3 -> release_3_2_3 (would clobber existing tag)
! [rejected] release_3_2_4 -> release_3_2_4 (would clobber existing tag)
! [rejected] release_3_2_5 -> release_3_2_5 (would clobber existing tag)
! [rejected] release_3_2_6 -> release_3_2_6 (would clobber existing tag)
! [rejected] release_3_2_7 -> release_3_2_7 (would clobber existing tag)
! [rejected] release_3_2_8 -> release_3_2_8 (would clobber existing tag)
error: could not fetch origin
Fetching bmork at github
Comparing a small subset of the tags on github with my local copies, I
see this on github:
bjorn at canardo:/usr/local/src/git/freeradius$ git ls-remote --tags origin refs/tags/release_3_2_*
69c4b9c4e6e40a69db27049cb6ea65568c1f8c50 refs/tags/release_3_2_0
87528a85decda00b86cf00ad640dc14558e1ca88 refs/tags/release_3_2_0^{}
795def425e5902a714567a14cbaf36717a199765 refs/tags/release_3_2_1
3b86b8fab3574bc860688a55b4c8f70ebc054f15 refs/tags/release_3_2_1^{}
723efbe8846e32852e4a0552400db932ed119913 refs/tags/release_3_2_2
b9ed73ef2d2628fa6e2a6d15a7782f8217966be0 refs/tags/release_3_2_2^{}
902152f616f6c67f91152707663258edaf3dae75 refs/tags/release_3_2_3
db3d1924d9a2e8d37c43872932621f69cfdbb099 refs/tags/release_3_2_3^{}
4f0566bed21fd88c4c93a18094a666cd04573049 refs/tags/release_3_2_4
7e8f34ec57ca854709672f7f3e4a341ff2f0b550 refs/tags/release_3_2_4^{}
64440a14ca3c666883aeb5e0a47ae226448b4a30 refs/tags/release_3_2_5
a7acce80f5ba2271d9aeb737a4a91a5bf8317f31 refs/tags/release_3_2_5^{}
e23d0f459b893f8e09eb4423e947f64a2caf6cf0 refs/tags/release_3_2_6
a696279897f9e87c2fb2b1b8388da5a4aa09835f refs/tags/release_3_2_6^{}
daf925decd4873c252839de116778c90c2e5d97c refs/tags/release_3_2_7
694a97dddbdd26423504afe7c530e8e1502b7354 refs/tags/release_3_2_7^{}
004dafca9f3601453cd3cc08f36493b708ce55cf refs/tags/release_3_2_8
032be31bb52646171099617928ec1703335bcf73 refs/tags/release_3_2_8^{}
While I've got:
bjorn at canardo:/usr/local/src/git/freeradius$ git tag --list --format='%(objectname) %(refname)' release_3_2_*
87528a85decda00b86cf00ad640dc14558e1ca88 refs/tags/release_3_2_0
3b86b8fab3574bc860688a55b4c8f70ebc054f15 refs/tags/release_3_2_1
b9ed73ef2d2628fa6e2a6d15a7782f8217966be0 refs/tags/release_3_2_2
db3d1924d9a2e8d37c43872932621f69cfdbb099 refs/tags/release_3_2_3
7e8f34ec57ca854709672f7f3e4a341ff2f0b550 refs/tags/release_3_2_4
a7acce80f5ba2271d9aeb737a4a91a5bf8317f31 refs/tags/release_3_2_5
a696279897f9e87c2fb2b1b8388da5a4aa09835f refs/tags/release_3_2_6
694a97dddbdd26423504afe7c530e8e1502b7354 refs/tags/release_3_2_7
032be31bb52646171099617928ec1703335bcf73 refs/tags/release_3_2_8
So my tags match the odd tag names with a '^{}' suffix. The new tags
seem to all be gpg signed objects referencing the same object as the old
tag.
For example:
bjorn at canardo:/usr/local/src/git/freeradius$ git show 004dafca9f3601453cd3cc08f36493b708ce55cf
tag release_3_2_8
Tagger: Alan T. DeKok <aland at freeradius.org>
Date: Wed Apr 1 18:35:01 2026 -0400
release_3_2_8
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAmnNnZUACgkQfQ55zXdi
Hs0VJQf/fcukNADXI9Nc1iP2xEWok0T9yKD/IsXNp27kKzvdItXDT4WSAJRV454f
FObLabOcMAfvomBiBGZfVLoNoCFrnG0hOF+cBGCRMYFqRDFTt65UXxb9NWAF0Dw+
kJznNS02Ds/bWxgMA1r7GYkoLqs+Klwg79DuBhmwnXNcj4sr6ifx9NVxOugab+YC
c7X+aunFfDonj6UGJYfAITjlkvdHgvenK15e1UDzYtDzPRsw41Eesa7E0ea+ZlMo
44SNFWcyXuXyXukQhgr12tdtgOvBQ8GYGwDt/2DUAVz4wUrM7rcq+6y+8LJM77ef
sCqvUF4RNdR2SiZAMbqy+gUe98DJYg==
=7bE2
-----END PGP SIGNATURE-----
commit 032be31bb52646171099617928ec1703335bcf73 (tag: release_3_2_8)
gpg: Signature made Wed Aug 20 18:29:15 2025 CEST
gpg: using RSA key A5C5E99DFB9B5C1F70A7A2FFD9B933C12AED74F0
gpg: issuer "matthew-git at newtoncomputing.co.uk"
gpg: Good signature from "Matthew Newton (git signing key) <matthew-git at newtoncomputing.co.uk>" [full]
gpg: matthew-git at newtoncomputing.co.uk: Verified 284 signatures in the past
2 months. Encrypted 0 messages.
Primary key fingerprint: A5C5 E99D FB9B 5C1F 70A7 A2FF D9B9 33C1 2AED 74F0
Author: Matthew Newton <matthew-git at newtoncomputing.co.uk>
Date: Wed Aug 20 17:29:15 2025 +0100
release 3.2.8
diff --git a/debian/changelog b/debian/changelog
index a004b9adecca..d24614ea2720 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,7 +2,7 @@ freeradius (3.2.8+git) unstable; urgency=medium
* New upstream version.
- -- Alan DeKok <aland at freeradius.org> Fri, 31 Jan 2025 12:00:00 +0000
+ -- Alan DeKok <aland at freeradius.org> Wed, 20 Aug 2025 12:00:00 +0000
freeradius (3.2.7+git) unstable; urgency=medium
diff --git a/doc/ChangeLog b/doc/ChangeLog
index c7e59bef42c8..b7ec777822c4 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,4 +1,4 @@
-FreeRADIUS 3.2.8 Fri 31 Jan 2025 12:00:00 UTC urgency=low
+FreeRADIUS 3.2.8 Wed 20 Aug 2025 12:00:00 UTC urgency=low
Configuration changes
* Replace dictionary.infinera with the correct one.
* Update dictionary.alteon
@@ -25,11 +25,9 @@ FreeRADIUS 3.2.8 Fri 31 Jan 2025 12:00:00 UTC urgency=low
* Added kafka module. See mods-available/kafka.
* json module can now print dates as integers.
See mods-available/json
- * The debug output now points to the online documentation
- in many cases, when there are syntax errors in the
- configuration.
- * Add support for 389ds password hashes. Patch from
- Gerald Vogt.
+ * The debug output now points to the online documentation in
+ many cases, when there are syntax errors in the configuration.
+ * Add support for 389ds password hashes. Patch from Gerald Vogt.
* reject_delay does not _add_ a delay, but instead ensures that
the reject is delayed for _at least_ that time. This change
means that reject_delay can be set in more situations, including
So that looks fine. Except this sudden appearance of signatures on all
the old tags, reusing the same names. That's very messy.
Could anyone please confirm that this intentional and the everything is
OK with the github repo?
Yes, I can see that the tags are signed by an entity which normally
would be trusted.. But these days I have to assume that *any* release
credentials could be compromised. The only protection left is the
sanity of local clones. And tag updates are as unexpected as any other
object modifcations.
Bjørn
More information about the Freeradius-Users
mailing list