From owner-freebsd-ports Wed May 30 5:28:12 2001 Delivered-To: freebsd-ports@freebsd.org Received: from totem.fix.no (totem.fix.no [213.142.66.130]) by hub.freebsd.org (Postfix) with ESMTP id 24F3137B423 for ; Wed, 30 May 2001 05:28:09 -0700 (PDT) (envelope-from anders@totem.fix.no) Received: by totem.fix.no (Postfix, from userid 1000) id 603453D3E; Wed, 30 May 2001 14:28:04 +0200 (CEST) Date: Wed, 30 May 2001 14:28:04 +0200 From: Anders Nordby To: ports@freebsd.org Subject: (forw) Port distfiles: sourceforge compromise Message-ID: <20010530142804.A24422@totem.fix.no> Mail-Followup-To: Anders Nordby , ports@freebsd.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="uAKRQypu60I7Lcqm" Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD 4.3-RELEASE X-PGP-Key: http://anders.fix.no/pgp/ X-PGP-Key-FingerPrint: 1E0F C53C D8DF 6A8F EAAD 19C5 D12A BC9F 0083 5956 Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello, I believe this is relevant for us too then. I haven't got any details about this though. Hohum. Regards, -- Anders. --uAKRQypu60I7Lcqm Content-Type: message/rfc822 Content-Disposition: inline Return-Path: Delivered-To: anders@totem.fix.no Received: from openbsd.cs.colorado.edu (openbsd.cs.colorado.edu [128.138.192.83]) by totem.fix.no (Postfix) with ESMTP id 37EDB3D3E for ; Wed, 30 May 2001 14:24:50 +0200 (CEST) Received: from localhost (domo@localhost) by openbsd.cs.colorado.edu (8.11.3/8.10.1) with SMTP id f4UCNEQ24821; Wed, 30 May 2001 06:23:14 -0600 (MDT) Received: by openbsd.org (TLB v0.11a (1.26 tibbs 1998/09/22 04:41:41)); Wed, 30 May 2001 06:18:03 -0600 (MDT) Received: (from domo@localhost) by openbsd.cs.colorado.edu (8.11.3/8.10.1) id f4UCI2b12592 for ports-list; Wed, 30 May 2001 06:18:02 -0600 (MDT) Received: from schutzenberger.liafa.jussieu.fr (espie@schutzenberger.liafa.jussieu.fr [132.227.81.123]) by openbsd.cs.colorado.edu (8.11.3/8.10.1) with ESMTP id f4UCHw205596; Wed, 30 May 2001 06:17:58 -0600 (MDT) Received: (from espie@localhost) by schutzenberger.liafa.jussieu.fr (8.11.3/8.10.1) id f4UCHvb05993; Wed, 30 May 2001 14:17:57 +0200 (CEST) Date: Wed, 30 May 2001 14:17:57 +0200 From: Marc Espie To: ports@openbsd.org, announce@openbsd.org Subject: Port distfiles: sourceforge compromise Message-ID: <20010530141757.A12467@schutzenberger.liafa.jussieu.fr> Reply-To: Marc.Espie@liafa.jussieu.fr Mail-Followup-To: Marc Espie , ports@openbsd.org, announce@openbsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-ports@openbsd.org Precedence: bulk X-Loop: ports@openbsd.org I just got belated news that SourceForge got compromised. It's a case were we are very happy we do have strong cryptographic checksums for distfiles. * users, if you compile a port from source, be very paranoid around checksum changes, especially if the port comes from sourceforge. * porters, please be very, very careful in updating/importing anything that comes from sourceforge, at least for a while. This probably means that ANY update should not be done unless you've actually LOOKED HARD at the diff between the previous and the current version, or you have complete insurance that Source Forge is not the main distribution site, and the project could not have been tainted. --uAKRQypu60I7Lcqm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message