Re: ftp.gnu.org cracked
On Tue, Aug 19, 2003 at 11:27:26PM -0400, Matt Zimmerman wrote:
> > > > > 2) Any unsigned sources in ftp.gnu.org could have been trojaned during
> > > > > the March-July period, and most of GNU packages have their corresponding
> > > > > packages in the Debian archive.
> > > >
> > > > The current evidence suggests that this has not happened.
> >
> > FWIW, I got texinfo-4.6.tar.gz in July from a ftp.gnu.org mirror.
> > There appears to have been no change between to it then and now:
> >
> > -rw-r--r-- 1 1001 3000 1892091 Jun 11 03:19 texinfo-4.6.tar.gz
> > -rw-r--r-- 1 joy joy 1892091 2003-07-11 15:31 texinfo_4.6.orig.tar.gz
> >
> > The md5sum of both files is 5730c8c0c7484494cca7a7e2d7459c64
>
> There is a cryptographically signed README on ftp.gnu.org which lists
> checksums for the files that GNU have been able to verify. You can check
> against that.
Ah, got it, it wasn't in the mirror hierarchy so I missed it initially.
Thanks.
5730c8c0c7484494cca7a7e2d7459c64 gnu/texinfo/texinfo-4.6.tar.gz [Signed on Wed Aug 13 14:27:46 2003 EDT using DSA key ID D679F6CF]
That's from the upstream maintainer, Karl Berry. Doesn't seem to be in a
web of trust but it should be fine nevertheless.
--
2. That which causes joy or happiness.
Reply to: