On Tue, Aug 26, 2003 at 08:23:44AM -0700, Alan W. Irwin wrote: > Thus, wouldn't it be the right thing to do to withdraw the Debian unstable > libtool-1.5 package until GNU has a chance to check the tarball? (And of > course after the checked version is available, the tarball used to create > the current package should be checked against it to make sure nothing > malicious got propagated while the libtool-1.5 package was available). Would it not be the right thing to simply run diff between the source in testing (assuming that predates the crack) and the one in unstable and look for suspicious code? It doesn't take somebody operating in an official GNU capacity to confirm that there's no malicious code there. noah
Attachment:
pgpIbS4Xs9Fb6.pgp
Description: PGP signature