On Tue, Aug 26, 2003 at 08:23:44AM -0700, Alan W. Irwin wrote:
Thus, wouldn't it be the right thing to do to withdraw the Debian unstable
libtool-1.5 package until GNU has a chance to check the tarball? (And of
course after the checked version is available, the tarball used to create
the
As I am sure most of you on this list are aware, GNU recently discovered
that their ftp file server was owned for many months by a cracker. They
rightly withdrew all their many source tarballs to check for malicious code.
The old tarballs were quickly reinstated (presumably because they had
On Tue, Aug 26, 2003 at 08:23:44AM -0700, Alan W. Irwin wrote:
Thus, wouldn't it be the right thing to do to withdraw the Debian unstable
libtool-1.5 package until GNU has a chance to check the tarball? (And of
course after the checked version is available, the tarball used to create
the
On 26 Aug 2003, Scott James Remnant wrote:
The Debian package is actually Libtool 1.5.0a and is taken from their
CVS repository, which wasn't compromised.
The _orig.tar.gz *is* the potentially compromised one from the FTP site,
however any compromise would be reverted back to the
On Tue, 2003-08-26 at 17:38, Alan W. Irwin wrote:
On 26 Aug 2003, Scott James Remnant wrote:
The Debian package is actually Libtool 1.5.0a and is taken from their
CVS repository, which wasn't compromised.
I agree it takes extreme care to leave no tracks behind so it is fairly
On 26 Aug 2003, Scott James Remnant wrote:
My tracking of the libtool 1.5 branch of CVS predates the compromise,
trust me, there's no naughty code in there.
Thanks for that strong public reassurance and the useful discussion that
preceded it.
Alan
__
Alan W. Irwin
6 matches
Mail list logo