Date: Sun, 2 Feb 2020 21:50:51 +0100 From: Christoph Moench-Tegeder <cmt@burggraben.net> To: Peter Jeremy <peter@rulingia.com> Cc: ajtiM <starikarp@dismail.de>, freebsd-ports@freebsd.org, Thomas Dickey <dickey@invisible-island.net> Subject: Re: xterm-353 Message-ID: <20200202205050.GA2182@squirrel.exwg.net> In-Reply-To: <20200202185446.GB60645@server.rulingia.com> References: <20200202103600.1959de17@dismail.de> <20200202154227.GB1309@albert.catwhisker.org> <20200202121118.71446c54@dismail.de> <20200202123845.46fc2d8b@dismail.de> <20200202185446.GB60645@server.rulingia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thomas, care to check the latest xterm tar file on the mirror? ## Peter Jeremy (peter@rulingia.com): > If you are inclined, you could compare the contents of both files and > report the differences upstream - particularly if there has been a > malicious change. In fact, https://invisible-mirror.net/archives/xterm/xterm-353.tgz is ftp://ftp.invisible-island.net/xterm/xterm-353.tgz gzipped once over again. The file from the mirror fails the GPG signature check and has sha256 0ef2e2fdfade2dfba41f7babeb1066886fd3c8c6aa6dd057fbce3d59a8848aa6 and can be gunzipped to reveal a tgz file with sha256 e521d3ee9def61f5d5c911afc74dd5c3a56ce147c7071c74023ea24cac9bb768 - that file can be verified with the GPG signature and matches the sha256sum the ports tree expects. (In fact, the file from the mirror can't even be "tar xzf"ed, as it's not a tar inside a gz but a tar inside a gz inside a gz). Regards, Christoph -- Spare Space.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200202205050.GA2182>