From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <spider@gentoo.org>
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=5.0 tests=DMARC_NONE,MAILING_LIST_MULTI,
	NICE_REPLY_A,RDNS_NONE autolearn=no autolearn_force=no version=4.0.0
Received: from Darkmere.psychozone (unknown [213.134.113.27])
	by chiba.3jane.net (Postfix) with ESMTP id AE698AC65F
	for <gentoo-dev@lists.gentoo.org>; Thu,  1 Aug 2002 16:21:54 -0500 (CDT)
Received: from Darkmere.psychozone (localhost [127.0.0.1])
	by Darkmere.psychozone (Postfix) with SMTP id A9AD44A6AA
	for <gentoo-dev@lists.gentoo.org>; Thu,  1 Aug 2002 23:18:00 +0200 (CEST)
Date: Thu, 1 Aug 2002 23:17:58 +0200
From: Spider <spider@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] possible trojan in openssh-3.4p1
Message-Id: <20020801231758.696fb9c1.spider@gentoo.org>
In-Reply-To: <200208011539.05025.rkaper@ism.nl>
References: <20020801103714.A26100@capsi.com>
	<200208011505.42361.bastiaf@gmx.de>
	<wxx8z3q1z3s.fsf@nommo.uio.no>
	<200208011539.05025.rkaper@ism.nl>
Organization: Chaotic
X-Mailer: Sylpheed version 0.8.1 (GTK+ 1.2.10; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
 boundary="=.J1GWOlOiZu:LyD"
Sender: gentoo-dev-admin@gentoo.org
Errors-To: gentoo-dev-admin@gentoo.org
X-BeenThere: gentoo-dev@gentoo.org
X-Mailman-Version: 2.0.6
Precedence: bulk
List-Help: <mailto:gentoo-dev-request@gentoo.org?subject=help>
List-Post: <mailto:gentoo-dev@gentoo.org>
List-Subscribe: <http://lists.gentoo.org/mailman/listinfo/gentoo-dev>,
	<mailto:gentoo-dev-request@gentoo.org?subject=subscribe>
List-Id: Gentoo Linux developer list <gentoo-dev.gentoo.org>
List-Unsubscribe: <http://lists.gentoo.org/mailman/listinfo/gentoo-dev>,
	<mailto:gentoo-dev-request@gentoo.org?subject=unsubscribe>
List-Archive: <http://lists.gentoo.org/pipermail/gentoo-dev/>
X-Archives-Salt: 2d7f5d93-7fd7-446a-b90a-9718386a17fe
X-Archives-Hash: 5d2df7673a0bbbbdf125067d307506b1

--=.J1GWOlOiZu:LyD
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

begin  quote
On Thu, 1 Aug 2002 15:39:05 +0200
Rob Kaper <rkaper@ism.nl> wrote:

> On Thursday 01 August 2002 15:35, Terje Kvernes wrote:
> >   if the checksum differ, which it would have, emerge will abort.
> >   although, emerge logs do sound like a very good idea.
> 
> For optimum security, emerge should check checksums from different
> locations. One or two trusted servers (often even the same as the one
> where the files reside, although that might not be true for gentoo)
> can be compromised too easily.
> 
> Rob
> 
actually portage compares to the one in the portage tree, which is
concidered "safe" as its not related to the servers where the binaries
are located.

//Spider


--
begin  .signature
This is a .signature virus! Please copy me into your .signature!
See Microsoft KB Article Q265230 for more information.
end

--=.J1GWOlOiZu:LyD
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9SaWIZS9CZTi033kRAs+xAJ91FwIub69530FVAPokCj9VsGTudwCeM8fX
OdTZLKy30bgNkEQ3GHkKpe4=
=7wsE
-----END PGP SIGNATURE-----

--=.J1GWOlOiZu:LyD--