Why does Matomo run a File integrity check on CHANGELOG.md?

Hi there,

To increase security and prevent from prying eyes I am deleting CHANGELOG.md once Matomo updates have been completed. Why does Matomo run a File integrity check on CHANGELOG.md? Why does Matomo need those *md files which easily reveal which Matomo version I am running?

This is a good point. Downloaded it from our own installation too. However, as long as stay up to date, the file shows that it is (likely) that the newest version is being run. There isn’t much risk here. Do you disagree?

I do not want to share any CHANGELOG.md information. A lot of crawlers and spammers extract version details automatically. They are going to target the site installation based on those information. Logfiles clearly indicate this kind of procedure.

As a workaround I am blocking the changelog.md. file. Not a big fan of it either

Even with Nginx server_tokens off; the Nginx server version can still be uncovered. Same for php. For this reason, I do not view this as a vulnerability. At the same time, it is an oversight, agreed.

Maybe you can update the .htaccess file in order to prevent the display of .md files?
The file integrity could maybe consider that if any file has been changed, there is a risk of corruption…

Checking the file structure wether files have been hacked is a great feature. Also I agree that it is not a vulnerability. Personally I do not see any reason why CHANGELOG.md needs to be kept, though. It reveals more information than needed. Blocking the changelog.md file is the only solution right now.

Enhancement asked in the GitHub repo: Add .md files in the .htaccess file · Issue #17859 · matomo-org/matomo (github.com)