On 26 Aug 2003, Scott James Remnant wrote: > The Debian package is actually Libtool 1.5.0a and is taken from their > CVS repository, which wasn't compromised. > > The _orig.tar.gz *is* the potentially compromised one from the FTP site, > however any compromise would be reverted back to the uncompromised CVS > version by the .diff.gz[0] > > That aside, I've compared libtool-1.5.tar.gz to a checkout of the GNU > CVS tree for that release, and there's no differences... as well as > obviously manually reading the 1.5 -> 1.5.0a diff before applying it. > > Unless cvs.gnu.org was also compromised by someone insane enough to > rewrite RCS files by hand to hide the modification, libtool in unstable > is safe :-)
I agree it takes extreme care to leave no tracks behind so it is fairly improbable that the cvs server was compromised. And even if an undetected crack occurred of that server, I agree it would take some effort to rewrite RCS files (although temporarily putting in a maliciously modified cvs server could do it). Thus, I agree with your judgement that restoring from cvs is safe to a fairly large degree. However, GNU have apparently decided not to restore from cvs since otherwise they should be able to proceed at a much faster rate than 10-15 restorations per day. Shouldn't debian follow their lead and be ultra-cautious also (especially with libtool since the downside is so severe if that app is compromised)? Alan __________________________ Alan W. Irwin email: [EMAIL PROTECTED] phone: 250-727-2902 Astronomical research affiliation with Department of Physics and Astronomy, University of Victoria (astrowww.phys.uvic.ca). Programming affiliations with the PLplot scientific plotting software package (plplot.org), the Yorick front-end to PLplot (yplot.sf.net), the Loads of Linux Links project (loll.sf.net), and the Linux Brochure Project (lbproject.sf.net). __________________________ Linux-powered Science __________________________
