Subject: Port distfiles: sourceforge compromise (fwd)
To: None <>
From: Hubert Feyrer <>
List: tech-pkg
Date: 05/30/2001 21:49:16
Borrowing Marc's words (thanks! :), that goes for us as well. 

 - Hubert

Hubert Feyrer <>

---------- Forwarded message ----------
Date: Wed, 30 May 2001 14:17:57 +0200
From: Marc Espie <>
Subject: Port distfiles: sourceforge compromise

I just got belated news that SourceForge got compromised. It's a case
were we are very happy we do have strong cryptographic checksums for

* users, if you compile a port from source, be very paranoid around 
checksum changes, especially if the port comes from sourceforge.

* porters, please be very, very careful in updating/importing anything
that comes from sourceforge, at least for a while. This probably means
that ANY update should not be done unless you've actually LOOKED HARD 
at the diff between the previous and the current version, or you have
complete insurance that Source Forge is not the main distribution site,
and the project could not have been tainted.