Date: 31 May 2001 01:43:05 +0200 From: Cyrille Lefevre <clefevre-lists@noos.fr> To: security@freebsd.org Subject: Fwd: Port distfiles: sourceforge compromise Message-ID: <zobubdyu.fsf@gits.dyndns.org> In-Reply-To: <20010530141757.A12467@schutzenberger.liafa.jussieu.fr> References: <20010530141757.A12467@schutzenberger.liafa.jussieu.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
just FYI, a message from announce@openbsd.org Marc Espie <espie@schutzenberger.liafa.jussieu.fr> writes: > I just got belated news that SourceForge got compromised. It's a case > were we are very happy we do have strong cryptographic checksums for > distfiles. > > * users, if you compile a port from source, be very paranoid around > checksum changes, especially if the port comes from sourceforge. > > * porters, please be very, very careful in updating/importing anything > that comes from sourceforge, at least for a while. This probably means > that ANY update should not be done unless you've actually LOOKED HARD > at the diff between the previous and the current version, or you have > complete insurance that Source Forge is not the main distribution site, > and the project could not have been tainted. Cyrille. -- home: mailto:clefevre@redirect.to UNIX is user-friendly; it's just particular work: mailto:Cyrille.Lefevre@edf.fr about who it chooses to be friends with. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?zobubdyu.fsf>