Subject: Port distfiles: sourceforge compromise (fwd)
To: None <email@example.com>
From: Hubert Feyrer <firstname.lastname@example.org>
Date: 05/30/2001 21:49:16
Borrowing Marc's words (thanks! :), that goes for us as well.
Hubert Feyrer <email@example.com>
---------- Forwarded message ----------
Date: Wed, 30 May 2001 14:17:57 +0200
From: Marc Espie <firstname.lastname@example.org>
Subject: Port distfiles: sourceforge compromise
I just got belated news that SourceForge got compromised. It's a case
were we are very happy we do have strong cryptographic checksums for
* users, if you compile a port from source, be very paranoid around
checksum changes, especially if the port comes from sourceforge.
* porters, please be very, very careful in updating/importing anything
that comes from sourceforge, at least for a while. This probably means
that ANY update should not be done unless you've actually LOOKED HARD
at the diff between the previous and the current version, or you have
complete insurance that Source Forge is not the main distribution site,
and the project could not have been tainted.