Update: I've manually reviewed a diff[1] of all changes to jars published since the intrusion. I found nothing suspicious in the diff, but I did see a couple instances of bytecode in it. Two of them were just bytecode being removed, but in one of them the bytecode changed when the new copy was redeployed.
So the current status is that we've verified everything except rst-format-parser. This seems to be a fairly obscure jar with only 21 downloads listed. But I've contacted the maintainer to ask him to either verify the checksum or redeploy a known-good jar. Unless you're one of the few people using this jar, you should be safe[2]. Happy hacking, Phil [1] - http://p.hagelb.org/clojars-republished.diff.html [2] - By "safe" here, I mean "as safe as you were before the intrusion". You're probably still trusting unsigned jars. We're working on making it easier to have good reason to trust your dependencies, but it's slow going. -- -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.