On Tue, Jun 05, 2001 at 01:06:45AM -0400, Steven M. Bellovin wrote:
> [...] or just subvert the NetBSD development process 
> somehow.  (Don't laugh -- did you see the report about an Apache.org 
> distribution machine being hacked, as a result of a previous 
> penetration of Sourceforge?  How much code do you run that you got from 
> Apache and/or Sourceforge?  Yes, the attackers were caught, and the 
> Apache distribution audited -- this time....)

Just as an aside to this - we moved over to using SHA1 checksums on
all the packages within pkgsrc over the last few months, for
distfiles, dist patches, and for our own patches.  (I had been
informed that MD5 has "theoretical" false matches by our security
people and others).  I would encourage anyone building a package from
source using pkgsrc who gets a mismatch from a distfile or patch
downloaded from sourceforge or one of its neighbours (a) to inform us
immediately, and (b) to treat it with extreme suspicion.  Also people
who are upgrading packages whose master site is sourceforge or one of
its mirrors should exercise caution.

Followups to tech-pkg, please.

Regards,
Alistair