On 11/20/2011 12:57 PM, Bernd Ernesti wrote:
I meant hdfgroup.org has repackaged this tarball 3 times before, not a netbsd person.On Sun, Nov 20, 2011 at 12:23:22PM +0100, John Marino wrote:On 11/20/2011 9:53 AM, Bernd Ernesti wrote: No, I didn't check to that level. The maintainers of this package have done this 3 times before, but the tarball is definitely retrieved from the same location as always.Maybe he checked the archive before doing it.
It's an absurd policy on their part though.I agree but you should really check the difference between the two versions. IMHO that package is a good target for introducing a backdoor with there ignorance to change the archive name and just replacing the old archive. Bernd
Yes, I guess it's possible that somebody hacked into the hdfgroup.org server, and replaced the source tarball with one with a trojan in it after hdfgroup repacked the same tarball 3 times before. But no, I did not do a line-by-line diff on all the sources because primarily I didn't have the original source. It was no longer available (the entire reason it caught my attention.)
John