On Tue, Aug 19, 2003 at 03:10:36AM +0200, Josip Rodin wrote: > On Mon, Aug 18, 2003 at 05:29:14AM +0000, Robert Millan wrote: > > > > 2) Any unsigned sources in ftp.gnu.org could have been trojaned during > > > > the March-July period, and most of GNU packages have their corresponding > > > > packages in the Debian archive. > > > > > > The current evidence suggests that this has not happened. > > FWIW, I got texinfo-4.6.tar.gz in July from a ftp.gnu.org mirror. > There appears to have been no change between to it then and now: > > -rw-r--r-- 1 1001 3000 1892091 Jun 11 03:19 texinfo-4.6.tar.gz > -rw-r--r-- 1 joy joy 1892091 2003-07-11 15:31 > texinfo_4.6.orig.tar.gz > > The md5sum of both files is 5730c8c0c7484494cca7a7e2d7459c64 > > Now, it's possible that it was tampered with before the mirror even got to > it... I suppose I could ask the upstream maintainer to confirm the md5sum > from their local copy? > > (Please Cc: any replies, I'm not subscribed.)
There is a cryptographically signed README on ftp.gnu.org which lists checksums for the files that GNU have been able to verify. You can check against that. -- - mdz
