Re: ftp.gnu.org cracked

To: debian-security@lists.debian.org
Subject: Re: ftp.gnu.org cracked
From: Josip Rodin <joy@srce.hr>
Date: Tue, 19 Aug 2003 03:10:36 +0200
Message-id: <[🔎] 20030819011036.GB20051@prvidomaci.srce.hr>
In-reply-to: <[🔎] 20030818052914.GB809@aragorn>
References: <20030818025155.GF473@aragorn> <200308181235.44876.russell@coker.com.au> <[🔎] 20030818052914.GB809@aragorn>

On Mon, Aug 18, 2003 at 05:29:14AM +0000, Robert Millan wrote:
> > > 2) Any unsigned sources in ftp.gnu.org could have been trojaned during
> > > the March-July period, and most of GNU packages have their corresponding
> > > packages in the Debian archive.
> > 
> > The current evidence suggests that this has not happened.

FWIW, I got texinfo-4.6.tar.gz in July from a ftp.gnu.org mirror.
There appears to have been no change between to it then and now:

-rw-r--r--    1 1001     3000      1892091 Jun 11 03:19 texinfo-4.6.tar.gz
-rw-r--r--    1 joy      joy       1892091 2003-07-11 15:31 texinfo_4.6.orig.tar.gz

The md5sum of both files is 5730c8c0c7484494cca7a7e2d7459c64

Now, it's possible that it was tampered with before the mirror even got to
it... I suppose I could ask the upstream maintainer to confirm the md5sum
from their local copy?

(Please Cc: any replies, I'm not subscribed.)

-- 
     2. That which causes joy or happiness.

Reply to:

Follow-Ups:
- Re: ftp.gnu.org cracked
  - From: Alf B Lervåg <alfborge@stud.ntnu.no>
- Re: ftp.gnu.org cracked
  - From: Matt Zimmerman <mdz@debian.org>

References:
- Re: ftp.gnu.org cracked
  - From: Robert Millan <zeratul2@wanadoo.es>

Prev by Date: Re: ftp.gnu.org cracked
Next by Date: Re: ftp.gnu.org cracked
Previous by thread: Re: ftp.gnu.org cracked
Next by thread: Re: ftp.gnu.org cracked
Index(es):
- Date
- Thread