Date: Sun, 28 Jan 2007 13:23:48 +0100 From: Lubomir Sedlacik <salo@silcnet.org> To: Wesley Shields <wxs@atarininja.org> Cc: "Freebsd Ports: Archivers" <ports@freebsd.org>, Paul Schmehl <pauls@utdallas.edu>, aquatique-ports@rambler.ru Subject: Re: Problem with devel/silc-toolkit Message-ID: <20070128122348.GQ8224@Xtrmntr.org> In-Reply-To: <20070128024514.GA79142@atarininja.org> References: <3B27E5D772A78D81D72D9420@paul-schmehls-powerbook59.local> <20070128014441.GA76439@atarininja.org> <D2F9DABD9A545B74551F4D18@paul-schmehls-powerbook59.local> <20070128024514.GA79142@atarininja.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--kPJUzav3owWaKxsz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
hello,
On Sat, Jan 27, 2007 at 09:45:14PM -0500, Wesley Shields wrote:
> > Looks like the bzipped tarball on their website has been altered -
> > possibly compromised. I'm cc'ing the port maintainer, but I was
> > unable to find a security address at SILC to notify them. I'm ccing
> > their abuse and postmaster addresses.
it's right there, on the web site:
SILC Project -> Contact Us -> Security Issues at security@silcnet.org=20
> Altered, yes. Compromised is a bit of a jump. Maybe they re-rolled
> it for any one of an infinite number of reasons.
the file was _NOT_ touched since it was released. we never re-release
tarballs under the same version for this precise reason.
> > I would recommend that the port be marked BROKEN until this is
> > resolved.
>=20
> Seeing as how it passes checksums for me I'm leaning towards a local
> problem.
checksums of the file in the master download area match the checksums
in the FreeBSD ports tree. there is no reason to believe the file (or
the machine) was compromised.
$ cksum -a sha256 silc-toolkit-1.0.2.tar.bz2
SHA256 (silc-toolkit-1.0.2.tar.bz2) =3D 45b289f2c328378e5fbdfc394ff71cbb66=
ef7c4fdc882185dbeeb08b28d25c7a
$ cksum -a md5 silc-toolkit-1.0.2.tar.bz2
MD5 (silc-toolkit-1.0.2.tar.bz2) =3D 869ce01349444a28fbace3c1bfe745ff
$ cat silc-toolkit-1.0.2.tar.bz2.md5
869ce01349444a28fbace3c1bfe745ff silc-toolkit-1.0.2.tar.bz2
everything seems to indicate a local problem.
regards,
--=20
-- Lubomir Sedlacik <salo@{NetBSD,Xtrmntr,silcnet}.org> --
--kPJUzav3owWaKxsz
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (NetBSD)
iD8DBQFFvJXUiwjDDlS8cmMRAju4AJ9KDgxdqSKxl5Di9+D4FaBNM/U0cwCdEbYu
BYyin8FOkrSTXbU9IxHHsUA=
=twUq
-----END PGP SIGNATURE-----
--kPJUzav3owWaKxsz--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070128122348.GQ8224>