On Tue, 2003-08-26 at 16:23, Alan W. Irwin wrote: > As I am sure most of you on this list are aware, GNU recently discovered > that their ftp file server was owned for many months by a cracker. > Indeed, I was the one who did a bulk-check of the easy MD5 sums and posted it to the list :-) > libtool-1.5.tar.gz is one of those tarballs that has not yet been given a > clean bill of health by GNU (see http://ftp.gnu.org/gnu/libtool/). > Nevertheless, it has been packaged for debian unstable. > Untrue. The Debian package is actually Libtool 1.5.0a and is taken from their CVS repository, which wasn't compromised. The _orig.tar.gz *is* the potentially compromised one from the FTP site, however any compromise would be reverted back to the uncompromised CVS version by the .diff.gz[0] That aside, I've compared libtool-1.5.tar.gz to a checkout of the GNU CVS tree for that release, and there's no differences... as well as obviously manually reading the 1.5 -> 1.5.0a diff before applying it. Unless cvs.gnu.org was also compromised by someone insane enough to rewrite RCS files by hand to hide the modification, libtool in unstable is safe :-) Scott [0] which also accidentally contains some .svn trees, oops! :) -- Have you ever, ever felt like this? Had strange things happen? Are you going round the twist?
Attachment:
signature.asc
Description: This is a digitally signed message part