Re: GNU software compromised : Cert Advisory
From: Villy Kruse (vek_at_station02.ohout.pharmapartners.nl)
Date: 14 Aug 2003 09:31:23 GMT
On Thu, 14 Aug 2003 08:55:17 GMT,
Alan Connor <firstname.lastname@example.org> wrote:
>Am I understanding this correctly? All anyone has to do to evade this
>cracker's work is to check the md5 sums?
If a tar file is compromised, so would the file containing the md5 sums.
Or at least one should asume that when the files is found on the same
server. The md5 sum is good at detecting accidental file modifications,
not for detecting malicios modifications. To be sure you need to check
the pgp signature using a pgp key which can be verified independently
of the ftp server. Checking using a possibly compromised pgp key has