On Tue, 2003-08-26 at 17:38, Alan W. Irwin wrote: > On 26 Aug 2003, Scott James Remnant wrote: > > > The Debian package is actually Libtool 1.5.0a and is taken from their > > CVS repository, which wasn't compromised. > > > > I agree it takes extreme care to leave no tracks behind so it is fairly > improbable that the cvs server was compromised. And even if an undetected > crack occurred of that server, I agree it would take some effort to rewrite > RCS files (although temporarily putting in a maliciously modified cvs server > could do it). Thus, I agree with your judgement that restoring from cvs is > safe to a fairly large degree. However, GNU have apparently decided not to > restore from cvs since otherwise they should be able to proceed at a much > faster rate than 10-15 restorations per day. Shouldn't debian follow their > lead and be ultra-cautious also (especially with libtool since the downside > is so severe if that app is compromised)? > My tracking of the libtool 1.5 branch of CVS predates the compromise, trust me, there's no naughty code in there. Scott -- Have you ever, ever felt like this? Had strange things happen? Are you going round the twist?
Attachment:
signature.asc
Description: This is a digitally signed message part