Re: ftp.gnu.org cracked

[Andreas Metzler <ametzler@downhill.at.eu.org>]

Scott James Remnant <scott@netsplit.com> wrote:
> [ Moved to debian-devel, I don't think this is relevant to private as
>  the GNU crack is well publicised ]

> On Mon, 2003-08-18 at 14:58, Matt Zimmerman wrote:
[...] 
>> If we're going to make a statement about it, we should have some facts to
>> release.  For example, if someone would like to verify the validity of the
>> GNU source tarballs that we ship against the checksums published by GNU,
>> that would be great.

> No problem, this is only a quick run -- others may find ways to improve
> this script somewhat.
[...]
> The script I used is attached, it takes the before-2003-08-01.md5sums
> file from the GNU ftp site (run through gpg to remove signature) as
> either stdin or a command-line argument.
[...]

The corresponding output for files from alpha.gnu.org is much shorter:

   autoconf: autoconf_2.57.orig.tar.gz OK.
!! coreutils: coreutils_4.5.3.orig.tar.gz NOT OK (bc59cb94381dcda083e1cdf2f054bf24 != 2d520532c40d5965024f7cc31a7c0ab7)
!! coreutils: coreutils_4.5.6.orig.tar.gz NOT OK (2bb41d18c38ab909d02875866e7f2b08 != a22e7e148cc76995dac17ac302b5602f)
!! coreutils: coreutils_5.0.90.orig.tar.gz NOT OK (dbf2126651fe7f09aef0758d3c49a245 != e35fa79775ba0e1b973f13d06336287c)
   textutils: textutils_2.0.orig.tar.gz OK.
   findutils: findutils_4.1.20.orig.tar.gz OK.
   gpaint: gpaint_0.2.2.orig.tar.gz OK.
   gzip: gzip_1.3.5.orig.tar.gz OK.
   libidn: libidn_0.1.14.orig.tar.gz OK.
   tar: tar_1.13.25.orig.tar.gz OK.
   vcdimager: vcdimager_0.7.14.orig.tar.gz OK.

               cu andreas