[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The possibility of malicious code in the Debian unstable libtool-1.5 package

On Tue, 2003-08-26 at 17:38, Alan W. Irwin wrote:

> On 26 Aug 2003, Scott James Remnant wrote:
> > The Debian package is actually Libtool 1.5.0a and is taken from their
> > CVS repository, which wasn't compromised.
> >
> I agree it takes extreme care to leave no tracks behind so it is fairly
> improbable that the cvs server was compromised. And even if an undetected
> crack occurred of that server, I agree it would take some effort to rewrite
> RCS files (although temporarily putting in a maliciously modified cvs server
> could do it).  Thus, I agree with your judgement that restoring from cvs is
> safe to a fairly large degree. However, GNU have apparently decided not to
> restore from cvs since otherwise they should be able to proceed at a much
> faster rate than 10-15 restorations per day.  Shouldn't debian follow their
> lead and be ultra-cautious also (especially with libtool since the downside
> is so severe if that app is compromised)?
My tracking of the libtool 1.5 branch of CVS predates the compromise,
trust me, there's no naughty code in there.

Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: