From owner-freebsd-ports@FreeBSD.ORG Sun Jan 28 12:48:22 2007 Return-Path: X-Original-To: ports@freebsd.org Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1CA5516A400 for ; Sun, 28 Jan 2007 12:48:19 +0000 (UTC) (envelope-from salo@silcnet.org) Received: from otaku.Xtrmntr.org (sauna.silcnet.org [147.175.66.205]) by mx1.freebsd.org (Postfix) with ESMTP id A6B6913C471 for ; Sun, 28 Jan 2007 12:48:18 +0000 (UTC) (envelope-from salo@silcnet.org) Received: by otaku.Xtrmntr.org (Postfix, from userid 200) id A9BE848AB; Sun, 28 Jan 2007 13:23:48 +0100 (CET) Date: Sun, 28 Jan 2007 13:23:48 +0100 From: Lubomir Sedlacik To: Wesley Shields Message-ID: <20070128122348.GQ8224@Xtrmntr.org> References: <3B27E5D772A78D81D72D9420@paul-schmehls-powerbook59.local> <20070128014441.GA76439@atarininja.org> <20070128024514.GA79142@atarininja.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kPJUzav3owWaKxsz" Content-Disposition: inline In-Reply-To: <20070128024514.GA79142@atarininja.org> User-Agent: Mutt/1.5.11 Cc: "Freebsd Ports: Archivers" , Paul Schmehl , aquatique-ports@rambler.ru Subject: Re: Problem with devel/silc-toolkit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Jan 2007 12:48:22 -0000 --kPJUzav3owWaKxsz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hello, On Sat, Jan 27, 2007 at 09:45:14PM -0500, Wesley Shields wrote: > > Looks like the bzipped tarball on their website has been altered - > > possibly compromised. I'm cc'ing the port maintainer, but I was > > unable to find a security address at SILC to notify them. I'm ccing > > their abuse and postmaster addresses. it's right there, on the web site: SILC Project -> Contact Us -> Security Issues at security@silcnet.org=20 > Altered, yes. Compromised is a bit of a jump. Maybe they re-rolled > it for any one of an infinite number of reasons. the file was _NOT_ touched since it was released. we never re-release tarballs under the same version for this precise reason. > > I would recommend that the port be marked BROKEN until this is > > resolved. >=20 > Seeing as how it passes checksums for me I'm leaning towards a local > problem. checksums of the file in the master download area match the checksums in the FreeBSD ports tree. there is no reason to believe the file (or the machine) was compromised. $ cksum -a sha256 silc-toolkit-1.0.2.tar.bz2 SHA256 (silc-toolkit-1.0.2.tar.bz2) =3D 45b289f2c328378e5fbdfc394ff71cbb66= ef7c4fdc882185dbeeb08b28d25c7a $ cksum -a md5 silc-toolkit-1.0.2.tar.bz2 MD5 (silc-toolkit-1.0.2.tar.bz2) =3D 869ce01349444a28fbace3c1bfe745ff $ cat silc-toolkit-1.0.2.tar.bz2.md5 869ce01349444a28fbace3c1bfe745ff silc-toolkit-1.0.2.tar.bz2 everything seems to indicate a local problem. regards, --=20 -- Lubomir Sedlacik -- --kPJUzav3owWaKxsz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (NetBSD) iD8DBQFFvJXUiwjDDlS8cmMRAju4AJ9KDgxdqSKxl5Di9+D4FaBNM/U0cwCdEbYu BYyin8FOkrSTXbU9IxHHsUA= =twUq -----END PGP SIGNATURE----- --kPJUzav3owWaKxsz--