Re: Fwd: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution
Debian (me & the buildds) are not vulnerable :)
I always verify the MD5sums with the announcement letters, and then
store that, along with the signature file in the source deb - allowing
for verification like that below.
I also have the sendmail key on my private keyring, instead of using
the one in the tarball (it wasn't trojanned this time, but I'm ready
if they try it later).
[11:31:44 cowboy@badlands:sendmail-8.12.6 565:0]$ debian/rules verify
# Verifying the md5 summs and signed files
Checking MD5 source: ./sendmail.8.12.6.tar.md5.
Checking signature file ./sendmail.8.12.6.tar.sig.
gpg: Signature made Mon Aug 26 22:06:30 2002 EDT using RSA key ID 678C0A03
gpg: Good signature from "Sendmail Signing Key/2002 <sendmail@Sendmail.ORG>"
<DannyS> Hit the monkey to win $20(*)!
* knghtbrd gets out his mallet.
* knghtbrd plants it firmly on DannyS' head.
* knghtbrd will take his $20 now. =3DD