Sender:	rich AT phekda DOT freeserve DOT co DOT uk
Message-ID:	<3F47C99F.4CDD5AC@phekda.freeserve.co.uk>
Date:	Sat, 23 Aug 2003 21:07:59 +0100
From:	Richard Dawe <rich AT phekda DOT freeserve DOT co DOT uk>
X-Mailer:	Mozilla 4.77 [en] (X11; U; Linux 2.2.23 i586)
X-Accept-Language:	de,fr
MIME-Version:	1.0
To:	DJGPP workers <djgpp-workers AT delorie DOT com>
Subject:	Re: CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
References:	<CA-2003-21 DOT 1 AT cert DOT org>
Reply-To:	djgpp-workers AT delorie DOT com

Hello.

CERT Advisory wrote:
[snip]
>    The  CERT/CC has received a report that the system housing the primary
>    FTP servers for the GNU software project was compromised.
[snip]
> Verifying checksums
> 
>    The  FSF has produced PGP-signed lists of known-good MD5 hashes of the
>    software packages housed on the compromised server. These lists can be
>    found at
> 
>           ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
>           ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
[snip]

I've checked the tarballs I used for the DJGPP packages of the following GNU
programs. They were OK.

autoconf 2.57
automake 1.7, 1.7.x
coreutils 5.0 (NB: I only have diffs for this package.)
doschk 1.1
fileutils 4.x
gdb 5.3
gmp 3.1.x, 4.0.1, 4.1, 4.1.x
miscfiles 1.2, 1.3
units 1.80
vera 1.9

If I've packaged something and it's not listed above, it means that either:
(a) it wasn't listed in the md5sums file, or (b) I don't know which tarball I
used to prepare the package.

FWIW all the packages I checked at work (which had been downloaded after the
compromise) matched the MD5 sums listed in the files above. That included
various versions of gcc, coreutils, Emacs. That's no reason to assume that
they will match, though.

Has anyone else checked the tarballs they used to prepare packages?

Bye, Rich =]

-- 
Richard Dawe [ http://www.phekda.freeserve.co.uk/richdawe/ ]

- Raw text -